Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-2189

ssh under newgrp'ed session fails hostbased authentication

Details

    • Major
    • sst_security_crypto
    • ssg_security
    • If docs needed, set a value

    Description

      Description of problem:
      ssh with hostbased auth fails after changing group ID ( with newgrp, etc. )
      although hostbased auth normally is accepted.
      and ssh reports "setresgid XXXX: Operation not permitted".

      Version-Release number of selected component (if applicable):
      openssh-clients-7.4p1-11.el7.x86_64

      How reproducible:
      run ssh with both HostBasedAuthentication and EnableSSHKeysign enabled, after changing the group ID to one of the supplementary groups.

      Steps to Reproduce:
      1. run "newgrp" with one of the supplementary groups as its argument
      2. under the newgrp'ed session, run ssh with hostbased auth enabled

      Actual results:

      Expected results:

      Additional info:
      comparing output;
      – normal –
      user1$ getent passwd user1
      user1:x:1001:1001::/home/user1:/bin/bash
      user1$ id
      uid=1001(user1) gid=1001(group1) groups=1001(group1),1002(group2)
      user1$ ssh -v -o HostbasedAuthentication=yes -o PubkeyAuthentication=no host1 hostname
      ...
      debug1: userauth_hostbased: trying hostkey ...
      debug1: permanently_drop_suid: 1001
      debug1: Authentication succeeded (hostbased).
      ...
      host1
      Transferred: ...
      Bytes per second: ...
      debug1: Exit status 0

      – chgrp'ed –
      user1$ getent passwd user1
      user1:x:1001:1001::/home/user1:/bin/bash
      user1$ newgrp group2
      user1$ id
      uid=1001(user1) gid=1002(group2) groups=1002(group2),1001(group1)
      user1$ ssh -v -o HostbasedAuthentication=yes -o PubkeyAuthentication=no host1 hostname
      ...
      debug1: userauth_hostbased: trying hostkey ...
      debug1: permanently_drop_suid: 1001
      setresgid 1001: Operation not permitted
      ssh_keysign: no reply
      sign using hostkey ... failed
      Permission denied (publickey,hostbased).

      Attachments

        Activity

          People

            dbelyavs@redhat.com Dmitry Belyavskiy
            jira-bugzilla-migration RH Bugzilla Integration
            Dmitry Belyavskiy Dmitry Belyavskiy
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated: