-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
rhel-7.3, rhel-7.9.z
-
None
-
Major
-
sst_security_crypto
-
ssg_security
-
None
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
x86_64
-
None
Description of problem:
ssh with hostbased auth fails after changing group ID ( with newgrp, etc. )
although hostbased auth normally is accepted.
and ssh reports "setresgid XXXX: Operation not permitted".
Version-Release number of selected component (if applicable):
openssh-clients-7.4p1-11.el7.x86_64
How reproducible:
run ssh with both HostBasedAuthentication and EnableSSHKeysign enabled, after changing the group ID to one of the supplementary groups.
Steps to Reproduce:
1. run "newgrp" with one of the supplementary groups as its argument
2. under the newgrp'ed session, run ssh with hostbased auth enabled
Actual results:
Expected results:
Additional info:
comparing output;
– normal –
user1$ getent passwd user1
user1:x:1001:1001::/home/user1:/bin/bash
user1$ id
uid=1001(user1) gid=1001(group1) groups=1001(group1),1002(group2)
user1$ ssh -v -o HostbasedAuthentication=yes -o PubkeyAuthentication=no host1 hostname
...
debug1: userauth_hostbased: trying hostkey ...
debug1: permanently_drop_suid: 1001
debug1: Authentication succeeded (hostbased).
...
host1
Transferred: ...
Bytes per second: ...
debug1: Exit status 0
– chgrp'ed –
user1$ getent passwd user1
user1:x:1001:1001::/home/user1:/bin/bash
user1$ newgrp group2
user1$ id
uid=1001(user1) gid=1002(group2) groups=1002(group2),1001(group1)
user1$ ssh -v -o HostbasedAuthentication=yes -o PubkeyAuthentication=no host1 hostname
...
debug1: userauth_hostbased: trying hostkey ...
debug1: permanently_drop_suid: 1001
setresgid 1001: Operation not permitted
ssh_keysign: no reply
sign using hostkey ... failed
Permission denied (publickey,hostbased).