Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-78656

RHEL7 ssh client prints "Authentication failed" when user is denied access, but not RHEL8+

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-8.10, rhel-9.5
    • openssh
    • None
    • Yes
    • Moderate
    • rhel-sst-security-crypto
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      A customer is whitelisting/blacklisting users through a PAM access configuration, but the same can be achieved with AllowUsers directive.
      When connecting to a RHEL8+ sshd service, from a RHEL7 client, when the user is denied, the RHEL7 ssh client returns "Authentication failed", which is due to entering cleanup code of function ssh_userauth2() on line 482:

       437 void
 438 ssh_userauth2(const char *local_user, const char *server_user, char *host,
 439     Sensitive *sensitive)
 440 {
 :
 476 >>>>    ssh_dispatch_run(ssh, DISPATCH_BLOCK, &authctxt.success, &authctxt);    /* loop until success */
 477 
 478         pubkey_cleanup(&authctxt);
 479         ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
 480 
 481         if (!authctxt.success)
 482 >>>>            fatal("Authentication failed.");
 483         debug("Authentication succeeded (%s).", authctxt.method->name);
 484 }

      This code seems totally unreachable on RHEL8+ after commit 92e9fe633130376a95dd533df6e5e6a578c1e6b8 was implemented, because, on line 476 (now line 548 in recent code), the ssh_dispatch_run() call has been replaced by ssh_dispatch_run_fatal(), which never returns on error but executes log_die() internally:

       501 void
 502 ssh_userauth2(struct ssh *ssh, const char *local_user,
 503     const char *server_user, char *host, Sensitive *sensitive)
 504 {
 :
 548 >>>>    ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */
 549         pubkey_cleanup(ssh);
 550         ssh->authctxt = NULL;
 551 
 552         ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
 553 
 554         if (!authctxt.success)
 555                 fatal("Authentication failed.");
 556         debug("Authentication succeeded (%s).", authctxt.method->name);
 557 }

      IMHO, not reaching line 549+ may be considered as a bug since the user cannot guess the reason for connection being closed.
      Instead the user just gets a "Connection closed by" generic message.

      I know this behavior changed 8 years ago, but it would be great to improve this handling.

      What is the impact of this issue to you?

      Expecting "Authentication failed" if user is denied.

      Please provide the package NVR for which the bug is seen:

      openssh-8.0p1 and later, including upstream.

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Setup "AllowUsers root" and try connecting using a different user

      Expected results

      Always getting "Authentication failed"

      Actual results

      On RHEL7, getting "Authentication failed"
      On RHEL8+, just getting "Connection closed by"

              dbelyavs@redhat.com Dmitry Belyavskiy
              rhn-support-rmetrich Renaud Métrich
              Dmitry Belyavskiy Dmitry Belyavskiy
              Miluse Bezo Konecna Miluse Bezo Konecna
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: