[Bug 1938144] Re: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange
Athos Ribeiro
1938144 at bugs.launchpad.net
Thu Jul 29 01:20:53 UTC 2021
Hello Niklas,
Thank you for taking the time to file a bug report.
While the symptoms experienced here seem similar to the ones reported in
https://bugzilla.redhat.com/show_bug.cgi?id=1162620, the patch that
fixed the latter is present in the version of the package for which you
reported the issue.
Therefore, would you mind providing additional information, such as configuration files? More importantly, we would be interested in a reproducer for the issue.
Can you reproduce it without using ansible?
Since there is not enough information in your report to begin triage or to
differentiate between a local configuration problem and a bug in Ubuntu, I
am marking this bug as "Incomplete". We would be grateful if you would:
provide a more complete description of the problem, explain why you
believe this is a bug in Ubuntu rather than a problem specific to your
system, and then change the bug status back to "New".
For local configuration issues, you can find assistance here:
http://www.ubuntu.com/support/communit
** Bug watch added: Red Hat Bugzilla #1162620
https://bugzilla.redhat.com/show_bug.cgi?id=1162620
** Changed in: openssh (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1938144
Title:
monitor_read: unpermitted request 48 on server while attempting GSSAPI
key exchange
Status in openssh package in Ubuntu:
Incomplete
Bug description:
I'm using openssh 1:8.2p1-4ubuntu0.2 on Ubuntu 20.04.2 LTS (client and
server) with the option "GSSAPIKeyExchange=yes", and this causes the
connection to fail. The server has GSSAPI (Kerberos authentication)
enabled, but is is only used for non-root users (root uses SSH keys).
Client command:
ssh -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex
root at server -v -p 2222 -o GSSAPIKeyExchange=yes
Client log:
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to compute-test [130.75.80.46] port 2222.
debug1: Connection established.
debug1: identity file /home/rother/.ssh/id_rsa type 0
debug1: identity file /home/rother/.ssh/id_rsa-cert type -1
debug1: identity file /home/rother/.ssh/id_dsa type -1
debug1: identity file /home/rother/.ssh/id_dsa-cert type -1
debug1: identity file /home/rother/.ssh/id_ecdsa type -1
debug1: identity file /home/rother/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/rother/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/rother/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/rother/.ssh/id_ed25519 type -1
debug1: identity file /home/rother/.ssh/id_ed25519-cert type -1
debug1: identity file /home/rother/.ssh/id_ed25519_sk type -1
debug1: identity file /home/rother/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/rother/.ssh/id_xmss type -1
debug1: identity file /home/rother/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to server:2222 as 'root'
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: Doing group exchange
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_COMPLETE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Rekey has happened - updating saved versions
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/rother/.ssh/id_rsa RSA SHA256:n/EY/cGjgd/r+7JpuqODxIotHHLsYptGXYx9GlKCWSM agent
debug1: Will attempt key: /home/rother/.ssh/root_id_rsa RSA SHA256:yCLAID9FMILharHmDpCB8wW8eiA+iHa4oQKLODbbzKw agent
debug1: Will attempt key: /home/user/.ssh/id_dsa
debug1: Will attempt key: /home/user/.ssh/id_ecdsa
debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/user/.ssh/id_ed25519
debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/user/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519 at openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256 at openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
Connection closed by 1.2.3.4 port 2222
Server log:
debug1: sshd version OpenSSH_8.2, OpenSSL 1.1.1f 31 Mar 2020
debug1: private host key #0: ssh-rsa SHA256:REDACTED
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:REDACTED
debug1: private host key #2: ssh-ed25519 SHA256:REDACTED
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='2222'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: sshd version OpenSSH_8.2, OpenSSL 1.1.1f 31 Mar 2020
debug1: private host key #0: ssh-rsa SHA256:REDACTED
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:REDACTED
debug1: private host key #2: ssh-ed25519 SHA256:REDACTED
debug1: inetd sockets after dupping: 3, 3
Connection from 1.2.3.5 port 53724 on 1.2.3.4 port 2222 rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x04000000
debug1: permanently_set_uid: 111/65534 [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none [preauth]
debug1: Doing group exchange [preauth]
debug1: Wait SSH2_MSG_GSSAPI_INIT [preauth]
debug1: Received some client credentials
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user root service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "root"
debug1: PAM: setting PAM_RHOST to "1.2.3.5"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user root service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
Postponed gssapi-with-mic for root from 1.2.3.5 port 53724 ssh2 [preauth]
debug1: Received some client credentials
Failed gssapi-with-mic for root from 1.2.3.5 port 53724 ssh2
debug1: userauth-request for user root service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 2 failures 1 [preauth]
debug1: userauth-request for user root service ssh-connection method gssapi-keyex [preauth]
debug1: attempt 3 failures 1 [preauth]
monitor_read: unpermitted request 48
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 5525
debug1: audit_event: unhandled event 12
The important line might be "monitor_read: unpermitted request 48"
When disabling GSSAPIKeyExchange=yes, everything works as expected.
This bug was discovered using Ansible, which uses "-o
PreferredAuthentications=gssapi-with-mic,gssapi-
keyex,hostbased,publickey" for it's ssh connections.
A similar bugs was reported in RHEL 7:
https://bugzilla.redhat.com/show_bug.cgi?id=1162620
Please let me know if you need any further information!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1938144/+subscriptions
More information about the foundations-bugs
mailing list