Your message dated Mon, 21 Oct 2024 17:34:08 +0000
with message-id <[email protected]>
and subject line Bug#1041521: fixed in openssh 1:9.9p1-2
has caused the Debian Bug report #1041521,
regarding OpenSSH: problematic interaction between GSSAPI Key Exchange and
publickey in 8.9p1 and newer
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1041521: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041521
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openssh
Version: 1:9.2p1-2
Symptom: ssh fails with "sign_and_send_pubkey: internal error: initial hostkey
not recorded".
This issue was reported upstream in
https://bugzilla.mindrot.org/show_bug.cgi?id=3406 and rejected because it's a
flaw in the GSSAPI key exchange patch. However, Damien Miller was kind enough
to provide a hint in Comment 2.
To trigger it, one needs to (a) perform a successful GSSAPI key exchange, (b)
attempt public key authentication. (In addition, the client and the server must
both have the hostbound authentication protocol extension enabled for the
problem to manifest itself. This is on by default in bookworm.) This is
probably not a very common combination, but it can happen if one has Kerberos
credentials for the correct realm but the wrong user, and a private key for the
right user.
I suppose an ambitious developer might try to provide a functional equivalent
to the host key binding that leverages the GSSAPI key exchange, instead of
Damien Miller's one-statement suggestion.
A likely workaround for affected clients until this gets fixed is to set
pubkeyauthentication=unbound as needed.
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:9.9p1-2
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 21 Oct 2024 18:24:07 +0100
Source: openssh
Architecture: source
Version: 1:9.9p1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1041521
Changes:
openssh (1:9.9p1-2) unstable; urgency=medium
.
* Don't prefer host-bound public key signatures if there was no initial
host key, as is the case when using GSS-API key exchange (closes:
#1041521).
* Use runuser rather than sudo in autopkgtests where possible, avoiding a
dependency.
Checksums-Sha1:
39baaf4feab5d4c13f266186b869650e21296e81 3465 openssh_9.9p1-2.dsc
0e1fa02b445234e6ffa7c9bd18059c845bc7584d 195704 openssh_9.9p1-2.debian.tar.xz
Checksums-Sha256:
301dfcef43aebdc603257b515f627f4f98433f957b109c04605702a9f32391e2 3465
openssh_9.9p1-2.dsc
75f3bd6ec3c54cef10e72e083d4b35b0ddf2cd803903f6235a51a683293c4f4f 195704
openssh_9.9p1-2.debian.tar.xz
Files:
5f9627ce26fac0425e7939c54bca6773 3465 net standard openssh_9.9p1-2.dsc
fb5ff0ae41ec1d365600ac6893f2daf8 195704 net standard
openssh_9.9p1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmcWjmoACgkQOTWH2X2G
UAs5PA/+Ijk1xpevdQ8KdYBV5TUBUJrI7giaCufg7UjfpF2+t8iOWjfgCOb1LzoT
v3QmtcnD9nazgGh6HrFL/Mc9VWnyU4az1mYreYLF5SnTPceJJf+hFr3fk577JiqJ
5SR4i6398cwxWrekFf6VlVd4bZQrDiTuJUv0igv8476YsI+NWOv3+knnNsrCJMte
dvIjdnEhQoFxE/jraoc21Jak0EFN8944LokmvWSUvu7rt+zHjnkNbG4FI5MLW3/f
6RH0b2OzI97/XCAWIndSNhKGX0jyQtSWA0nc+nl2qavFAT37BGJ4aZhkLX15baLP
92sc5Lvr7oLswhAUl0KbC/Cs3cat6O1xrZB/IVBcOYOxbRA8DGcY2S/drvCKDz4P
CGKn1NterqbsxtlOn2BSEEDNA1d0cdwbZvE92nE+Zju5cDkBCcIQAwDv3fTvYguV
geMbhkiZv4DwXDsm6/6uFE1/yhYQ5PPAF3In6kq4UHKnv7rRhfKUD1SR6k5fujA6
ozEqFMrNOp2zxnsc8k6DKbDKWir8zMewIv0dkKrz0GAfZ2SmHh1kvAwU/gu4F3X/
58DRbYLOCaYplw/CoMYvJUFdQ8SO2PbcTm73BfYuLfsNLDUi5rKBLlQctrVB4q98
gswyx1nF3MyabsC/zWCYmH3ehM7gjKDtSADqxi3tgN4BkN9Pr5k=
=0Hjx
-----END PGP SIGNATURE-----
pgptlOabE0IoG.pgp
Description: PGP signature
--- End Message ---
