ssh: failure because it cannot access /etc/ssh/ssh_revoked_hosts

[tools200ms]

Description

ssh in firejail fails to establish connection throwing the following message:

Error checking host key <key removed> in revoked keys file /etc/ssh/ssh_revoked_hosts: Permission denied
Host key verification failed.

Looks like firejail prevents ssh from accessing /etc/ssh/ssh_revoked_hosts file. With --noprofile it works, while with --profile=ssh.profile fails with a given message.

Firejail version: 0.9.72 OS: Gentoo stable

Checklist

• [x] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [x] I can reproduce the issue without custom modifications (e.g. globals.local).
• [x] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [x] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [x] I have performed a short search for similar issues (to avoid opening a duplicate).
  • [ ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [ ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

$ ssh -v 10.0.4.181
OpenSSH_9.6p1, OpenSSL 3.0.13 30 Jan 2024
debug1: Reading configuration data /home/barney/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/9999999gentoo-security.conf
debug1: Reading configuration data /etc/ssh/ssh_config.d/9999999gentoo.conf
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 10.0.4.181 [10.0.4.181] port 22.
debug1: Connection established.
debug1: identity file /home/barney/.ssh/id_rsa type -1
debug1: identity file /home/barney/.ssh/id_rsa-cert type -1
debug1: identity file /home/barney/.ssh/id_ecdsa type -1
debug1: identity file /home/barney/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/barney/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/barney/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/barney/.ssh/id_ed25519 type -1
debug1: identity file /home/barney/.ssh/id_ed25519-cert type -1
debug1: identity file /home/barney/.ssh/id_ed25519_sk type -1
debug1: identity file /home/barney/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/barney/.ssh/id_xmss type -1
debug1: identity file /home/barney/.ssh/id_xmss-cert type -1
debug1: identity file /home/barney/.ssh/id_dsa type -1
debug1: identity file /home/barney/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.6
debug1: compat_banner: match: OpenSSH_9.6 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.0.4.181:22 as 'barney'
debug1: load_hostkeys: fopen /home/barney/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: <key removed>
Error checking host key <key removed> in revoked keys file /etc/ssh/ssh_revoked_hosts: Permission denied
Host key verification failed.

[glitsj16]

Thanks for reporting. Looks like we need to add noblacklist /etc/ssh/ssh_revoked_hosts to allow-ssh.inc. Can you confirm the below fixes this please:

$ cat ~/.config/firejail/allow-ssh.local
noblacklist /etc/ssh/ssh_revoked_hosts

If it fixes the issue you might open a PR and get credit for the fix. But let's test things first...

[tools200ms]

I do confirm, fix works. No issues now.

[glitsj16]

I do confirm, fix works. No issues now.

Great. Thank you for confirming!

Approaching typical Friday evening pressed for time with energy-loaden children bursting into weekend-mode... I'll keep eyes on this and will open a PR during the weekend if you haven't beaten me to it :-)

Cheers

[tools200ms]

Just did PR, have a good time! Mateusz