Bug 1112649

Summary: openssh 7.8p1 (network repo) - authentication failure pubkey (audit.patch to blame?)
Product: [openSUSE] openSUSE Tumbleweed Reporter: Axel Köllhofer <AxelKoellhofer>
Component: SecurityAssignee: Vítězslav Čížek <vcizek>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None CC: bart.vanassche+novell, crrodriguez, dead_mozay, dream.doomwalker, egdfree, ilya, meissner, stschoettl, werwolf131313
Version: Current   
Target Milestone: Current   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Axel Köllhofer 2018-10-21 16:20:43 UTC 
After installing openssh 7.8p1 from the network repo, logging in via ssh fails when using pubkeys.

(I did not check if logging in with a password is also affected.)

Running 

sshd -Ddd

shows this error message

mm_answer_keyverify: buffer error: incomplete message

A quick search for "mm_answer_keyverify" inside the patches applied to the package shows "openssh-7.7p1-audit.patch" to contain changes to that function.

As the patch states 

"Extended auditing through the Linux Auditing subsystem
RH patch from git://pkgs.fedoraproject.org/openssh.git"

it was based on the respective patch from RedHat, I took a look at the respective patch from RH/Fedora and found the following discrepancy:

openSUSE:

@@ -1375,6 +1393,7 @@ mm_answer_keyverify(int sock, struct ssh
        char *sigalg;
        size_t signaturelen, datalen, bloblen;
        int r, ret, valid_data = 0, encoded_ret;
+       int type = 0;
 
        if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
            (r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||

Fedora 28:

@@ -1396,8 +1413,10 @@ mm_answer_keyverify(int sock, struct ssh
 	char *sigalg;
 	size_t signaturelen, datalen, bloblen;
 	int r, ret, valid_data = 0, encoded_ret;
+	int type = 0;
 
-	if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
+	if ((r = sshbuf_get_u32(m, &type)) != 0 ||
+	    (r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
 	    (r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
 	    (r = sshbuf_get_string(m, &data, &datalen)) != 0 ||
 	    (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)

After adding this extra change


-	if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
+	if ((r = sshbuf_get_u32(m, &type)) != 0 ||
+	    (r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
 	    (r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
 	    (r = sshbuf_get_string(m, &data, &datalen)) != 0 ||
 	    (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)

to monitor.c in the audit.patch, openssh works as expected.

Greetings,

AK
Comment 1 Cristian Rodríguez 2018-10-31 00:36:32 UTC 
duplicated..thanks

*** This bug has been marked as a duplicate of bug 1114008 ***