SSH key stops working after openssl upgrade (1.0.2.d => 1.0.2.e)

thorsten · 2016-05-06 22:43:56

After upgrading openssl (from 1.0.2.d to 1.0.2.e) I am always asked for the passphrase for my ssh key (rsa, 4096 bits,from Dec 2009), even though it does not have any passphrase. The consequence is that ssh aborts since I am not able to enter the correct passphrase:

$ sudo pacman -U --noconfirm openssl-1.0.2.d-1-x86_64.pkg.tar.xz > /dev/null
warning: downgrading package openssl (1.0.2.e-1 => 1.0.2.d-1)
$ pacman -Q openssl
openssl 1.0.2.d-1
$ ssh cip echo 'it works!'
it works!
$ sudo pacman -U --noconfirm openssl-1.0.2.e-1-x86_64.pkg.tar.xz > /dev/null
$ pacman -Q openssl
openssl 1.0.2.e-1
$ ssh cip echo 'it works!'
Enter passphrase for key '/home/thorsten/.ssh/id_rsa': 
Password: ^C
$ sudo pacman -U --noconfirm openssl-1.0.2.d-1-x86_64.pkg.tar.xz > /dev/null
warning: downgrading package openssl (1.0.2.e-1 => 1.0.2.d-1)
$ ssh cip echo 'it works!'
it works!

Strangely, I have this issue only with this particular ssh-key, regardless to which host I want to connect (cip in the above case), and regardless on which host I am.

Does anyone of you have the same problem?
It sounds like an upstream bug. Or did I miss any announcement that some ssh-keys became deprecated?
How can I provide enough information in order to reproduce this bug? (I don't want to upload my private ssh-key).

thorsten · 2016-05-06 23:01:58

I couldn't find any helpful difference in the verbose (-vvvv) outputs of the respective openssl versions. But maybe it helps you:

@@ -1,3 +1,3 @@
 $ ssh -vvvv cip echo 'it works!'
-OpenSSH_7.2p2, OpenSSL 1.0.2d 9 Jul 2015
+OpenSSH_7.2p2, OpenSSL 1.0.2e 3 Dec 2015
 debug1: Reading configuration data /home/thorsten/.ssh/config
@@ -72,3 +72,3 @@
 debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
-debug2: bits set: 4132/8192
+debug2: bits set: 4039/8192
 debug3: send packet: type 32
@@ -86,3 +86,3 @@
 debug1: Found key in /home/thorsten/.ssh/known_hosts:50
-debug2: bits set: 4080/8192
+debug2: bits set: 4147/8192
 debug3: send packet: type 21
@@ -96,3 +96,3 @@
 debug1: SSH2_MSG_NEWKEYS received
-debug2: key: /home/thorsten/.ssh/id_rsa (0x5624cc430e50)
+debug2: key: /home/thorsten/.ssh/id_rsa (0x55561f8dbe50)
 debug2: key: /home/thorsten/.ssh/id_dsa ((nil))
@@ -121,60 +121,27 @@
 debug3: sign_and_send_pubkey: RSA SHA256:0nuUcZCYqCHj0hQ2+ZUkRU36h5RlBIcaEuVT61dn+hY
+Enter passphrase for key '/home/thorsten/.ssh/id_rsa': 
+debug2: no passphrase given, try next key
+debug1: Trying private key: /home/thorsten/.ssh/id_dsa
+debug3: no such identity: /home/thorsten/.ssh/id_dsa: No such file or directory
+debug1: Trying private key: /home/thorsten/.ssh/id_ecdsa
+debug3: no such identity: /home/thorsten/.ssh/id_ecdsa: No such file or directory
+debug1: Trying private key: /home/thorsten/.ssh/id_ed25519
+debug3: no such identity: /home/thorsten/.ssh/id_ed25519: No such file or directory
+debug2: we did not send a packet, disable method
+debug3: authmethod_lookup keyboard-interactive
+debug3: remaining preferred: password
+debug3: authmethod_is_enabled keyboard-interactive
+debug1: Next authentication method: keyboard-interactive
+debug2: userauth_kbdint
 debug3: send packet: type 50
-debug3: receive packet: type 52
-debug1: Authentication succeeded (publickey).
-Authenticated to faui0sr0.cs.fau.de ([131.188.30.90]:22).
-debug1: channel 0: new [client-session]
-debug3: ssh_session2_open: channel_new: 0
-debug2: channel 0: send open
-debug3: send packet: type 90
-debug1: Requesting no-more-sessions@openssh.com
-debug3: send packet: type 80
-debug1: Entering interactive session.
-debug1: pledge: network
-debug3: receive packet: type 91
-debug2: callback start
-debug2: fd 3 setting TCP_NODELAY
-debug3: ssh_packet_set_tos: set IP_TOS 0x08
-debug2: client_session2_setup: id 0
-debug1: Sending command: echo it works!
-debug2: channel 0: request exec confirm 1
-debug3: send packet: type 98
-debug2: callback done
-debug2: channel 0: open confirm rwindow 0 rmax 32768
-debug2: channel 0: rcvd adjust 2097152
-debug3: receive packet: type 99
-debug2: channel_input_status_confirm: type 99 id 0
-debug2: exec request accepted on channel 0
-debug3: receive packet: type 96
-debug2: channel 0: rcvd eof
-debug2: channel 0: output open -> drain
-debug3: receive packet: type 98
-debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
-debug3: receive packet: type 98
-debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
-debug2: channel 0: rcvd eow
-debug2: channel 0: close_read
-debug2: channel 0: input open -> closed
-debug3: receive packet: type 97
-debug2: channel 0: rcvd close
-debug3: channel 0: will not send data after close
-it works!
-debug3: channel 0: will not send data after close
-debug2: channel 0: obuf empty
-debug2: channel 0: close_write
-debug2: channel 0: output drain -> closed
-debug2: channel 0: almost dead
-debug2: channel 0: gc: notify user
-debug2: channel 0: gc: user detached
-debug2: channel 0: send close
-debug3: send packet: type 97
-debug2: channel 0: is dead
-debug2: channel 0: garbage collecting
-debug1: channel 0: free: client-session, nchannels 1
-debug3: channel 0: status: The following connections are open:
-  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)
+debug2: we sent a keyboard-interactive packet, wait for reply
+debug3: receive packet: type 60
+debug2: input_userauth_info_req
+debug2: input_userauth_info_req: num_prompts 1
+Password: 
+debug3: send packet: type 61
+debug3: receive packet: type 60
+debug2: input_userauth_info_req
+debug2: input_userauth_info_req: num_prompts 1
+Password: 
 
-debug3: send packet: type 1
-Transferred: sent 3660, received 4096 bytes, in 0.2 seconds
-Bytes per second: sent 19057.8, received 21328.0
-debug1: Exit status 0

Last edited by thorsten (2016-05-06 23:02:11)

firecat53 · 2016-05-06 23:14:40

Considering openssl 1.0.2.h-1 is the current version in the repo's....how about updating to that first? You're a few versions behind...are you using stock Arch?

Scott

thorsten · 2016-05-07 09:29:09

firecat53 wrote:

Considering openssl 1.0.2.h-1 is the current version in the repo's....how about updating to that first? You're a few versions behind...are you using stock Arch?

This problem is also present in the current 1.0.2.h-1 (but also in the intermediate versions 1.0.2.g-3 and 1.0.2.f-1).
I am using stock arch on both machines; that is, packages from the default repos and multilib, and a few ssl-unrelated packages[1] from the aur. Except for gnupg 2.0.26-1 and dirmngr 1.1.1-3, all packages are installed in their current version.

Last edited by thorsten (2016-05-07 09:50:42)

Arch Linux

#1 2016-05-06 22:43:56

SSH key stops working after openssl upgrade (1.0.2.d => 1.0.2.e)

#2 2016-05-06 23:01:58

Re: SSH key stops working after openssl upgrade (1.0.2.d => 1.0.2.e)

#3 2016-05-06 23:14:40

Re: SSH key stops working after openssl upgrade (1.0.2.d => 1.0.2.e)

#4 2016-05-07 09:29:09

Re: SSH key stops working after openssl upgrade (1.0.2.d => 1.0.2.e)

Board footer