From joe@loche.chubbo.net Tue May 6 13:35:06 2003 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DF0A37B401 for ; Tue, 6 May 2003 13:35:06 -0700 (PDT) Received: from loche.chubbo.net (loche.chubbo.net [168.75.98.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id 106D143F3F for ; Tue, 6 May 2003 13:35:06 -0700 (PDT) (envelope-from joe@loche.chubbo.net) Received: (qmail 48627 invoked by uid 1000); 6 May 2003 20:30:37 -0000 Message-Id: <20030506203037.48626.qmail@loche.chubbo.net> Date: 6 May 2003 20:30:37 -0000 From: Joseph Kacmarcik Reply-To: Joseph Kacmarcik To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: can't ssh after su to different local user X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 51892 >Category: bin >Synopsis: can't ssh after su to different local user >Confidential: no >Severity: serious >Priority: medium >Responsible: des >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue May 06 13:40:08 PDT 2003 >Closed-Date: Sun Oct 23 19:14:22 GMT 2005 >Last-Modified: Sun Oct 23 19:14:22 GMT 2005 >Originator: Joseph Kacmarcik >Release: FreeBSD 5.0-RELEASE-p3 i386 >Organization: chubbo.net >Environment: System: FreeBSD loche.chubbo.net 5.0-RELEASE-p3 FreeBSD 5.0-RELEASE-p3 #0: Mon Feb 24 11:39:12 PST 2003 joe@loche.chubbo.net:/usr/src/sys/i386/compile/CHUBBO_SMP7 i386 >Description: when i login via console or via ssh as user1, i can ssh out to other boxes (or localhost) without difficulty. if the remote host is not in my known_hosts, i'm prompted to add the key. when i login as user2, i get the same effects, i can ssh out with no trouble. in this situation, user2 is a common user and will not be allowed direct login with the sshd_config parameter DenyUsers. user1 and other users will su to user2 or 'sudo su' to user2. anytime i do 'su - user2' or 'sudo su - user2' and i try to ssh to a remote box (or localhost), i get "Host key verification failed.". i've also tried just 'su user2' and 'sudo su user2' to avoid importing the environment. i've tried homedirs that are completely empty thinking it may be the environment, changing shells, changing uid's. i just dunno what's goin on. i've looked at the output of ssh -vvv while user1 and after su to user2 and they are identical up to where i would get verification of an unknown host or password, but after su, i get the failure. i've run sshd in debug, su'ed to user2 and did ssh -vvv localhost. looking at the debug output, it stops at "debug1: waiting for SSH2_MSG_NEWKEYS" and immediately following is "Connection closed by 127.0.0.1" >How-To-Repeat: login as any user, su to a different local user (including root), try to ssh anywhere (including localhost). i have completely reinstalled freebsd 5 on a new drive and i get the same results. i've also tried this on other freebsd 5 machines with the same result. i've never needed to have this functionality on freebsd 5 but it does work on freebsd 4 as well as other OS'es. >Fix: if i login directly as root or su to root, i can ssh anywhere (including localhost). i don't consider this a resolution or workaround. >Release-Note: >Audit-Trail: Responsible-Changed-From-To: freebsd-bugs->des Responsible-Changed-By: kris Responsible-Changed-When: Sat Jul 12 17:56:07 PDT 2003 Responsible-Changed-Why: Assign to SSH maintainer http://www.freebsd.org/cgi/query-pr.cgi?pr=51892 State-Changed-From-To: open->suspended State-Changed-By: des State-Changed-When: Tue Aug 19 04:49:09 PDT 2003 State-Changed-Why: Unable to reproduce. http://www.freebsd.org/cgi/query-pr.cgi?pr=51892 From: Joseph Kacmarcik To: freebsd-gnats-submit@FreeBSD.org Cc: Subject: Re: bin/51892: can't ssh after su to different local user Date: Fri, 9 Jan 2004 12:30:05 -0800 some more specific information on this i didn't know at the time of the original submission. the problem is specific to users without an existing known_hosts file. if i ssh in as user1, then 'su - user2', issuing 'ssh user3@localhost' results in 'Host key verification failed.' if i ssh in as user2, then 'ssh user3@localhost' prompts for addition into known_hosts (creates it if it doesn't exist) and asks for password (or i'm allowed in if ssh-key is accepted). with an existing ~/.ssh/known_hosts file, ssh in as user1, 'su - user2', 'ssh user2@localhost', i'm prompted for password (or allowed in if the ssh-key is accepted). this problem still exists up to 5.0-RELEASE-p19. joe State-Changed-From-To: suspended->feedback State-Changed-By: des State-Changed-When: Sat Aug 7 20:32:17 GMT 2004 State-Changed-Why: Does this problem still occur with more recent versions? If it does, could you please provide a full log and a ktrace? http://www.freebsd.org/cgi/query-pr.cgi?pr=51892 State-Changed-From-To: feedback->closed State-Changed-By: linimon State-Changed-When: Sun Oct 23 19:14:04 GMT 2005 State-Changed-Why: Feedback timeout (> 1 year). http://www.freebsd.org/cgi/query-pr.cgi?pr=51892 >Unformatted: