From joe@loche.chubbo.net  Tue May  6 13:35:06 2003
Return-Path: <joe@loche.chubbo.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6DF0A37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  6 May 2003 13:35:06 -0700 (PDT)
Received: from loche.chubbo.net (loche.chubbo.net [168.75.98.154])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 106D143F3F
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  6 May 2003 13:35:06 -0700 (PDT)
	(envelope-from joe@loche.chubbo.net)
Received: (qmail 48627 invoked by uid 1000); 6 May 2003 20:30:37 -0000
Message-Id: <20030506203037.48626.qmail@loche.chubbo.net>
Date: 6 May 2003 20:30:37 -0000
From: Joseph Kacmarcik <joe@chubbo.net>
Reply-To: Joseph Kacmarcik <joe@chubbo.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: can't ssh after su to different local user
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         51892
>Category:       bin
>Synopsis:       can't ssh after su to different local user
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 06 13:40:08 PDT 2003
>Closed-Date:    Sun Oct 23 19:14:22 GMT 2005
>Last-Modified:  Sun Oct 23 19:14:22 GMT 2005
>Originator:     Joseph Kacmarcik
>Release:        FreeBSD 5.0-RELEASE-p3 i386
>Organization:
chubbo.net
>Environment:
System: FreeBSD loche.chubbo.net 5.0-RELEASE-p3 FreeBSD 5.0-RELEASE-p3 #0: Mon Feb 24 11:39:12 PST 2003 joe@loche.chubbo.net:/usr/src/sys/i386/compile/CHUBBO_SMP7 i386

        
>Description:

        when i login via console or via ssh as user1, i can ssh out to other boxes (or localhost) without difficulty. if the remote host is not in my known_hosts, i'm prompted to add the key. when i login as user2, i get the same effects, i can ssh out with no trouble. in this situation, user2 is a common user and will not be allowed direct login with the sshd_config parameter DenyUsers. user1 and other users will su to user2 or 'sudo su' to user2. anytime i do 'su - user2' or 'sudo su - user2' and i try to ssh to a remote box (or localhost), i get "Host key verification failed.". i've also tried just 'su user2' and 'sudo su user2' to avoid importing the environment.
	i've tried homedirs that are completely empty thinking it may be the environment, changing shells, changing uid's. i just dunno what's goin on. i've looked at the output of ssh -vvv while user1 and after su to user2 and they are identical up to where i would get verification of an unknown host or password, but after su, i get the failure. i've run sshd in debug, su'ed to user2 and did ssh -vvv localhost. looking at the debug output, it stops at "debug1: waiting for SSH2_MSG_NEWKEYS" and immediately following is "Connection closed by 127.0.0.1"

>How-To-Repeat:

	login as any user, su to a different local user (including root), try to ssh anywhere (including localhost). i have completely reinstalled freebsd 5 on a new drive and i get the same results. i've also tried this on other freebsd 5 machines with the same result. i've never needed to have this functionality on freebsd 5 but it does work on freebsd 4 as well as other OS'es.

>Fix:

	if i login directly as root or su to root, i can ssh anywhere (including localhost). i don't consider this a resolution or workaround.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sat Jul 12 17:56:07 PDT 2003 
Responsible-Changed-Why:  
Assign to SSH maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=51892 
State-Changed-From-To: open->suspended 
State-Changed-By: des 
State-Changed-When: Tue Aug 19 04:49:09 PDT 2003 
State-Changed-Why:  
Unable to reproduce. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=51892 

From: Joseph Kacmarcik <joe@chubbo.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/51892: can't ssh after su to different local user
Date: Fri,  9 Jan 2004 12:30:05 -0800

 some more specific information on this i didn't know at the time of the original
 submission.
 
 the problem is specific to users without an existing known_hosts file. if i ssh
 in as user1, then 'su - user2', issuing 'ssh user3@localhost' results in 'Host
 key verification failed.' if i ssh in as user2, then 'ssh user3@localhost'
 prompts for addition into known_hosts (creates it if it doesn't exist) and asks
 for password (or i'm allowed in if ssh-key is accepted).
 
 with an existing ~/.ssh/known_hosts file, ssh in as user1, 'su - user2', 'ssh
 user2@localhost', i'm prompted for password (or allowed in if the ssh-key is
 accepted).
 
 this problem still exists up to 5.0-RELEASE-p19.
 
 joe
State-Changed-From-To: suspended->feedback 
State-Changed-By: des 
State-Changed-When: Sat Aug 7 20:32:17 GMT 2004 
State-Changed-Why:  
Does this problem still occur with more recent versions?  If it does, 
could you please provide a full log and a ktrace? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=51892 
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Sun Oct 23 19:14:04 GMT 2005 
State-Changed-Why:  
Feedback timeout (> 1 year). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=51892 
>Unformatted:
