[Touch-packages] [Bug 1949778] Re: unittest2 doesn't work on python3.10
** Also affects: python-pyghmi (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python-testtools in Ubuntu. https://bugs.launchpad.net/bugs/1949778 Title: unittest2 doesn't work on python3.10 Status in gitinspector package in Ubuntu: New Status in python-deprecation package in Ubuntu: New Status in python-futurist package in Ubuntu: New Status in python-jenkins package in Ubuntu: New Status in python-launchpadlib package in Ubuntu: New Status in python-pyghmi package in Ubuntu: New Status in python-testtools package in Ubuntu: New Status in python-tosca-parser package in Ubuntu: New Status in python-yaql package in Ubuntu: New Status in tempest package in Ubuntu: New Status in unittest2 package in Ubuntu: Fix Released Status in unittest2 package in Debian: New Bug description: Since Python 3.3, using or importing ABCs from 'collections' instead of 'collections.abc' has been deprecated, and it's finally removed in python 3.10. Because unittest2 relies on these collections in it's compatibility helpers, it fails to run on 3.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gitinspector/+bug/1949778/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1949778] Re: unittest2 doesn't work on python3.10
** Also affects: python-jenkins (Ubuntu) Importance: Undecided Status: New ** Also affects: tempest (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python-testtools in Ubuntu. https://bugs.launchpad.net/bugs/1949778 Title: unittest2 doesn't work on python3.10 Status in gitinspector package in Ubuntu: New Status in python-deprecation package in Ubuntu: New Status in python-futurist package in Ubuntu: New Status in python-jenkins package in Ubuntu: New Status in python-launchpadlib package in Ubuntu: New Status in python-testtools package in Ubuntu: New Status in python-tosca-parser package in Ubuntu: New Status in python-yaql package in Ubuntu: New Status in tempest package in Ubuntu: New Status in unittest2 package in Ubuntu: Fix Released Status in unittest2 package in Debian: New Bug description: Since Python 3.3, using or importing ABCs from 'collections' instead of 'collections.abc' has been deprecated, and it's finally removed in python 3.10. Because unittest2 relies on these collections in it's compatibility helpers, it fails to run on 3.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gitinspector/+bug/1949778/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1949778] Re: unittest2 doesn't work on python3.10
** Also affects: gitinspector (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python-testtools in Ubuntu. https://bugs.launchpad.net/bugs/1949778 Title: unittest2 doesn't work on python3.10 Status in gitinspector package in Ubuntu: New Status in python-deprecation package in Ubuntu: New Status in python-futurist package in Ubuntu: New Status in python-launchpadlib package in Ubuntu: New Status in python-testtools package in Ubuntu: New Status in python-tosca-parser package in Ubuntu: New Status in python-yaql package in Ubuntu: New Status in unittest2 package in Ubuntu: Fix Released Status in unittest2 package in Debian: New Bug description: Since Python 3.3, using or importing ABCs from 'collections' instead of 'collections.abc' has been deprecated, and it's finally removed in python 3.10. Because unittest2 relies on these collections in it's compatibility helpers, it fails to run on 3.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gitinspector/+bug/1949778/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1949778] Re: unittest2 doesn't work on python3.10
Tracking python-futurist as per https://launchpad.net/ubuntu/+source/python- futurist/2.4.0-2/+build/22303692 ** Also affects: python-futurist (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python-testtools in Ubuntu. https://bugs.launchpad.net/bugs/1949778 Title: unittest2 doesn't work on python3.10 Status in python-deprecation package in Ubuntu: New Status in python-futurist package in Ubuntu: New Status in python-launchpadlib package in Ubuntu: New Status in python-testtools package in Ubuntu: New Status in python-tosca-parser package in Ubuntu: New Status in python-yaql package in Ubuntu: New Status in unittest2 package in Ubuntu: Fix Released Status in unittest2 package in Debian: New Bug description: Since Python 3.3, using or importing ABCs from 'collections' instead of 'collections.abc' has been deprecated, and it's finally removed in python 3.10. Because unittest2 relies on these collections in it's compatibility helpers, it fails to run on 3.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-deprecation/+bug/1949778/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 827151] Re: Annoying log message "DIGEST-MD5 common mech free"
This is still valid for jammy. As mentioned by Kartik, in [1], a fix in /etc/logcheck/ignore.d.server/libsasl-modules should not fix the issue of getting the message spammed into the logs. I found this issue upstream [2] with a relevant comment [3] from 2019. I pinged upstream on this issue since it would be nice to assess whether we could remove the message or find a way to opt out there. [1] https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/827151/comments/17 [2] https://github.com/cyrusimap/cyrus-sasl/issues/386 [3] https://github.com/cyrusimap/cyrus-sasl/issues/386#issuecomment-504710968 ** Bug watch added: github.com/cyrusimap/cyrus-sasl/issues #386 https://github.com/cyrusimap/cyrus-sasl/issues/386 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/827151 Title: Annoying log message "DIGEST-MD5 common mech free" Status in Cyrus-sasl2: New Status in cyrus-sasl2 package in Ubuntu: Triaged Status in cyrus-sasl2 source package in Trusty: Won't Fix Status in cyrus-sasl2 source package in Xenial: Incomplete Status in cyrus-sasl2 source package in Yakkety: Fix Released Status in cyrus-sasl2 source package in Focal: Triaged Status in cyrus-sasl2 package in Debian: New Bug description: I recently updated the libsasl2-modules to 2.1.24~rc1.dfsg1+cvs2011-05-23-4ubuntu1 in oneiric. That triggered the bug also described in Debian here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631932 The annoying message is logged in auth.log. In my case, it is associated with svnserve: svnserve: DIGEST-MD5 common mech free I'm not exactly sure what action triggers the message, but I can investigate more if required. $ lsb_release -rd Description:Ubuntu oneiric (development branch) Release:11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/827151/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1949778] Re: unittest2 doesn't work on python3.10
Tracking python-testtools due to https://launchpad.net/ubuntu/+source/python- testtools/2.5.0-2/+build/22304107 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python-testtools in Ubuntu. https://bugs.launchpad.net/bugs/1949778 Title: unittest2 doesn't work on python3.10 Status in python-deprecation package in Ubuntu: New Status in python-launchpadlib package in Ubuntu: New Status in python-testtools package in Ubuntu: New Status in python-tosca-parser package in Ubuntu: New Status in python-yaql package in Ubuntu: New Status in unittest2 package in Ubuntu: New Status in unittest2 package in Debian: New Bug description: Since Python 3.3, using or importing ABCs from 'collections' instead of 'collections.abc' has been deprecated, and it's finally removed in python 3.10. Because unittest2 relies on these collections in it's compatibility helpers, it fails to run on 3.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-deprecation/+bug/1949778/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1949778] Re: unittest2 doesn't work on python3.10
Tracking python-tosca-parser due to https://launchpad.net/ubuntu/+source/python-tosca- parser/2.4.1-2/+build/22304110 ** Also affects: python-testtools (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python-testtools in Ubuntu. https://bugs.launchpad.net/bugs/1949778 Title: unittest2 doesn't work on python3.10 Status in python-deprecation package in Ubuntu: New Status in python-launchpadlib package in Ubuntu: New Status in python-testtools package in Ubuntu: New Status in python-tosca-parser package in Ubuntu: New Status in python-yaql package in Ubuntu: New Status in unittest2 package in Ubuntu: New Status in unittest2 package in Debian: New Bug description: Since Python 3.3, using or importing ABCs from 'collections' instead of 'collections.abc' has been deprecated, and it's finally removed in python 3.10. Because unittest2 relies on these collections in it's compatibility helpers, it fails to run on 3.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-deprecation/+bug/1949778/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 892293] Re: Jenkins is not reporting the skipped tests
** Changed in: pyjunitxml (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pyjunitxml in Ubuntu. https://bugs.launchpad.net/bugs/892293 Title: Jenkins is not reporting the skipped tests Status in pyjunitxml: Fix Released Status in pyjunitxml package in Ubuntu: Confirmed Bug description: We are using junitxml to generate a results file that will be parsed by Jenkins for the final reporting. The skipped tests are being reported as passed, because they are tagged "skip" but Jenkins expects them to be "skipped". I couldn't find any specification of the results file, but on [1] everything refers to the tag as "skipped". [1] http://wiki.apache.org/ant/Proposals/EnhancedTestReports To manage notifications about this bug go to: https://bugs.launchpad.net/pyjunitxml/+bug/892293/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1859013] Re: openssh tests use "not valid yet" certificate from 2020, which is now valid
Setting series as wontfix due to end of standard support. This should be fixed from bionic and on. ** Changed in: openssh (Ubuntu Precise) Status: New => Won't Fix ** Changed in: openssh (Ubuntu Trusty) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1859013 Title: openssh tests use "not valid yet" certificate from 2020, which is now valid Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Precise: Won't Fix Status in openssh source package in Trusty: Won't Fix Status in openssh source package in Xenial: Fix Released Status in openssh source package in Bionic: Fix Released Status in openssh source package in Disco: Won't Fix Status in openssh source package in Eoan: Fix Released Status in openssh source package in Focal: Fix Released Bug description: [Impact] * regression testsuite uses 1st of January 2020 as the date in the future, however that is now in the past making autpkgtests fail. [Test Case] * Autopkgtest must pass [Regression Potential] * Testsuite assertion update only [Other Info] This is a staged update to be rolled up with any other openssh update in the future. fixed in debian https://tracker.debian.org/news/1092767/accepted- openssh-181p1-4-source-into-unstable/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1859013/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1945205] Re: [FFe] Add zstd support
** Changed in: python-debian (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python-debian in Ubuntu. https://bugs.launchpad.net/bugs/1945205 Title: [FFe] Add zstd support Status in python-debian package in Ubuntu: Fix Released Bug description: [Feature Freeze Exception] Now that dpkg-deb defaults to compressing with zstd, python-debian can no longer decompress the compressed data into the binary package archive [1]. The proposed change, created as an MP at [2], introduces zstd support to python-debian 0.1.39 by adding a dependency to zstd to the package and by extending the python-debian xz support for python < 3.3, where xz was still not supported by tarfile, to also support the zstd compression. It is also important to note that, for python-debian 0.1.40, the relevant (here patched) code was re-worked (python < 3.3 support was dropped) and this proposed patch, along with the relevant proposed unit test, will need to be re-written. This re-writing effort is already an ongoing work proposed upstream in [3]. Once [3] is merged, this patch can be dropped and python-debian can be sync'd from upstream again. If there is a need to merge python-debian before [3] is accepted and released upstream, the next version of python-debian will need to drop the proposed patch and apply [3] instead, for the reasons listed above. While python-debian is not completely broken without this FFe patch, some of its features will not work properly on Ubuntu packages now they are compressed with zstd. For instance, any packages or scripts that try to use python-debian for extracting data from deb packages will no longer work. Namely, dh-cmake FTBFS when trying to decompress a deb package during its unit test run step [4]. A PPA with the proposed fix is available at [5], along with the build logs. I ran the dep8 test suite locally with the following results: autopkgtest [20:04:02]: summary python3-debian PASS I am also attaching the logs for installation, removal and upgrades of the patched package. [1] https://bugs.launchpad.net/ubuntu/+source/python-debian/+bug/1923845 [2] https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/python-debian/+git/python-debian/+merge/407413 [3] https://salsa.debian.org/python-debian-team/python-debian/-/merge_requests/65 [4] https://launchpadlibrarian.net/552708462/buildlog_ubuntu-impish-amd64.dh-cmake_0.6.1_BUILDING.txt.gz [5] https://launchpad.net/~athos-ribeiro/+archive/ubuntu/lp-1923845-python-debian/+packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-debian/+bug/1945205/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1945205] Re: [FFe] Add zstd support
As an effort to verify this is not triggered by this upload, I was able to reproduce the failure locally with $ autopkgtest-buildvm-ubuntu-cloud -r impish -v $ autopkgtest autopkgtest -U -- qemu ./autopkgtest-impish-amd64.img and $ autopkgtest autopkgtest -U --apt-pocket=proposed -- qemu ./autopkgtest-impish-amd64.img Output is attached.?field.comment=As an effort to verify this is not triggered by this upload, I was able to reproduce the failure locally with $ autopkgtest-buildvm-ubuntu-cloud -r impish -v $ autopkgtest autopkgtest -U -- qemu ./autopkgtest-impish-amd64.img and $ autopkgtest autopkgtest -U --apt-pocket=proposed -- qemu ./autopkgtest-impish-amd64.img Output is attached. ** Attachment added: "autopktest.log" https://bugs.launchpad.net/ubuntu/+source/python-debian/+bug/1945205/+attachment/5529155/+files/autopktest.log -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python-debian in Ubuntu. https://bugs.launchpad.net/bugs/1945205 Title: [FFe] Add zstd support Status in python-debian package in Ubuntu: Confirmed Bug description: [Feature Freeze Exception] Now that dpkg-deb defaults to compressing with zstd, python-debian can no longer decompress the compressed data into the binary package archive [1]. The proposed change, created as an MP at [2], introduces zstd support to python-debian 0.1.39 by adding a dependency to zstd to the package and by extending the python-debian xz support for python < 3.3, where xz was still not supported by tarfile, to also support the zstd compression. It is also important to note that, for python-debian 0.1.40, the relevant (here patched) code was re-worked (python < 3.3 support was dropped) and this proposed patch, along with the relevant proposed unit test, will need to be re-written. This re-writing effort is already an ongoing work proposed upstream in [3]. Once [3] is merged, this patch can be dropped and python-debian can be sync'd from upstream again. If there is a need to merge python-debian before [3] is accepted and released upstream, the next version of python-debian will need to drop the proposed patch and apply [3] instead, for the reasons listed above. While python-debian is not completely broken without this FFe patch, some of its features will not work properly on Ubuntu packages now they are compressed with zstd. For instance, any packages or scripts that try to use python-debian for extracting data from deb packages will no longer work. Namely, dh-cmake FTBFS when trying to decompress a deb package during its unit test run step [4]. A PPA with the proposed fix is available at [5], along with the build logs. I ran the dep8 test suite locally with the following results: autopkgtest [20:04:02]: summary python3-debian PASS I am also attaching the logs for installation, removal and upgrades of the patched package. [1] https://bugs.launchpad.net/ubuntu/+source/python-debian/+bug/1923845 [2] https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/python-debian/+git/python-debian/+merge/407413 [3] https://salsa.debian.org/python-debian-team/python-debian/-/merge_requests/65 [4] https://launchpadlibrarian.net/552708462/buildlog_ubuntu-impish-amd64.dh-cmake_0.6.1_BUILDING.txt.gz [5] https://launchpad.net/~athos-ribeiro/+archive/ubuntu/lp-1923845-python-debian/+packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-debian/+bug/1945205/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1945205] [NEW] [FFe] Add zstd support
Public bug reported: [Feature Freeze Exception] Now that dpkg-deb defaults to compressing with zstd, python-debian can no longer decompress the compressed data into the binary package archive [1]. The proposed change, created as an MP at [2], introduces zstd support to python-debian 0.1.39 by adding a dependency to zstd to the package and by extending the python-debian xz support for python < 3.3, where xz was still not supported by tarfile, to also support the zstd compression. It is also important to note that, for python-debian 0.1.40, the relevant (here patched) code was re-worked (python < 3.3 support was dropped) and this proposed patch, along with the relevant proposed unit test, will need to be re-written. This re-writing effort is already an ongoing work proposed upstream in [3]. Once [3] is merged, this patch can be dropped and python-debian can be sync'd from upstream again. If there is a need to merge python-debian before [3] is accepted and released upstream, the next version of python-debian will need to drop the proposed patch and apply [3] instead, for the reasons listed above. While python-debian is not completely broken without this FFe patch, some of its features will not work properly on Ubuntu packages now they are compressed with zstd. For instance, any packages or scripts that try to use python-debian for extracting data from deb packages will no longer work. Namely, dh-cmake FTBFS when trying to decompress a deb package during its unit test run step [4]. A PPA with the proposed fix is available at [5], along with the build logs. I ran the dep8 test suite locally with the following results: autopkgtest [20:04:02]: summary python3-debian PASS I am also attaching the logs for installation, removal and upgrades of the patched package. [1] https://bugs.launchpad.net/ubuntu/+source/python-debian/+bug/1923845 [2] https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/python-debian/+git/python-debian/+merge/407413 [3] https://salsa.debian.org/python-debian-team/python-debian/-/merge_requests/65 [4] https://launchpadlibrarian.net/552708462/buildlog_ubuntu-impish-amd64.dh-cmake_0.6.1_BUILDING.txt.gz [5] https://launchpad.net/~athos-ribeiro/+archive/ubuntu/lp-1923845-python-debian/+packages ** Affects: python-debian (Ubuntu) Importance: Undecided Status: New ** Attachment added: "intall, remove, and upgrade logs" https://bugs.launchpad.net/bugs/1945205/+attachment/5528416/+files/python-debian_install_remove_upgrade.txt -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python-debian in Ubuntu. https://bugs.launchpad.net/bugs/1945205 Title: [FFe] Add zstd support Status in python-debian package in Ubuntu: New Bug description: [Feature Freeze Exception] Now that dpkg-deb defaults to compressing with zstd, python-debian can no longer decompress the compressed data into the binary package archive [1]. The proposed change, created as an MP at [2], introduces zstd support to python-debian 0.1.39 by adding a dependency to zstd to the package and by extending the python-debian xz support for python < 3.3, where xz was still not supported by tarfile, to also support the zstd compression. It is also important to note that, for python-debian 0.1.40, the relevant (here patched) code was re-worked (python < 3.3 support was dropped) and this proposed patch, along with the relevant proposed unit test, will need to be re-written. This re-writing effort is already an ongoing work proposed upstream in [3]. Once [3] is merged, this patch can be dropped and python-debian can be sync'd from upstream again. If there is a need to merge python-debian before [3] is accepted and released upstream, the next version of python-debian will need to drop the proposed patch and apply [3] instead, for the reasons listed above. While python-debian is not completely broken without this FFe patch, some of its features will not work properly on Ubuntu packages now they are compressed with zstd. For instance, any packages or scripts that try to use python-debian for extracting data from deb packages will no longer work. Namely, dh-cmake FTBFS when trying to decompress a deb package during its unit test run step [4]. A PPA with the proposed fix is available at [5], along with the build logs. I ran the dep8 test suite locally with the following results: autopkgtest [20:04:02]: summary python3-debian PASS I am also attaching the logs for installation, removal and upgrades of the patched package. [1] https://bugs.launchpad.net/ubuntu/+source/python-debian/+bug/1923845 [2] https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/python-debian/+git/python-debian/+merge/407413 [3] https://salsa.debian.org/python-debian-team/python-debian/-/merge_requests/65 [4] https://
[Touch-packages] [Bug 1215287] Re: [wrap-and-sort] Drops commented lines inappropriately.
This was fixed in version 0.1.23 and is available from bionic and on. ** Changed in: python-debian (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python-debian in Ubuntu. https://bugs.launchpad.net/bugs/1215287 Title: [wrap-and-sort] Drops commented lines inappropriately. Status in python-debian package in Ubuntu: Fix Released Status in python-debian package in Debian: Fix Released Bug description: So debian/control supports # comments, much like bash or python does, and comments are good! They help explain things to other maintainers. But wrap-and-sort just discards them like so much garbage. It should probably be fixed to preserve commented lines. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-debian/+bug/1215287/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1938144] Re: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange
Thanks, Niklas! Utkarsh, Paride: Since this seems to be a low priority issue, I am waiting to see if we get a couple more eyes into https://github.com/openssh-gsskex/openssh-gsskex/pull/21 before adding this one in our delta (this could even go into Debian first and then we can start preparing SRUs). Therefore, I am also removing the server-next tag from this one. ** Tags removed: server-next -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1938144 Title: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Triaged Status in openssh source package in Focal: Triaged Status in openssh source package in Hirsute: Triaged Bug description: I'm using openssh 1:8.2p1-4ubuntu0.2 on Ubuntu 20.04.2 LTS (client and server) with the option "GSSAPIKeyExchange=yes", and this causes the connection to fail. The server has GSSAPI (Kerberos authentication) enabled, but is is only used for non-root users (root uses SSH keys). Client command: ssh -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex root@server -v -p -o GSSAPIKeyExchange=yes Client log: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /home/user/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to compute-test [130.75.80.46] port . debug1: Connection established. debug1: identity file /home/rother/.ssh/id_rsa type 0 debug1: identity file /home/rother/.ssh/id_rsa-cert type -1 debug1: identity file /home/rother/.ssh/id_dsa type -1 debug1: identity file /home/rother/.ssh/id_dsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa type -1 debug1: identity file /home/rother/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519 type -1 debug1: identity file /home/rother/.ssh/id_ed25519-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_xmss type -1 debug1: identity file /home/rother/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x0400 debug1: Authenticating to server: as 'root' debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q== debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: Doing group exchange debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_COMPLETE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Rekey has happened - updating saved versions debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/rother/.ssh/id_rsa RSA SHA256:n/EY/cGjgd/r+7JpuqODxIotHHLsYptGXYx9GlKCWSM agent debug1: Will attempt key: /home/rother/.ssh/root_id_rsa RSA SHA256:yCLAID9FMILharHmDpCB8wW8eiA+iHa4oQKLODbbzKw agent debug1: Will attempt key: /home/user/.ssh/id_dsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/user/.ssh/id_ed25519 debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk debug1: Will attempt key: /home/user/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Delegating credentials debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Authentications that can continue:
[Touch-packages] [Bug 1938144] Re: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange
Hi Niklas, I just pushed the focal patched package to that same PPA. Note that they are only available for x86_64 and i386. Let me know if you need it for any other platforms. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1938144 Title: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Triaged Bug description: I'm using openssh 1:8.2p1-4ubuntu0.2 on Ubuntu 20.04.2 LTS (client and server) with the option "GSSAPIKeyExchange=yes", and this causes the connection to fail. The server has GSSAPI (Kerberos authentication) enabled, but is is only used for non-root users (root uses SSH keys). Client command: ssh -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex root@server -v -p -o GSSAPIKeyExchange=yes Client log: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /home/user/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to compute-test [130.75.80.46] port . debug1: Connection established. debug1: identity file /home/rother/.ssh/id_rsa type 0 debug1: identity file /home/rother/.ssh/id_rsa-cert type -1 debug1: identity file /home/rother/.ssh/id_dsa type -1 debug1: identity file /home/rother/.ssh/id_dsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa type -1 debug1: identity file /home/rother/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519 type -1 debug1: identity file /home/rother/.ssh/id_ed25519-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_xmss type -1 debug1: identity file /home/rother/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x0400 debug1: Authenticating to server: as 'root' debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q== debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: Doing group exchange debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_COMPLETE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Rekey has happened - updating saved versions debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/rother/.ssh/id_rsa RSA SHA256:n/EY/cGjgd/r+7JpuqODxIotHHLsYptGXYx9GlKCWSM agent debug1: Will attempt key: /home/rother/.ssh/root_id_rsa RSA SHA256:yCLAID9FMILharHmDpCB8wW8eiA+iHa4oQKLODbbzKw agent debug1: Will attempt key: /home/user/.ssh/id_dsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/user/.ssh/id_ed25519 debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk debug1: Will attempt key: /home/user/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Delegating credentials debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex Connection closed by 1.2.3.4 port Server log: debug1: sshd version OpenSSH_8.2, OpenSSL 1.1.1f 31 Mar 2020 debug1: private host key #0: ssh-rsa SHA256:REDACTED debug1: private host key #1: ecdsa-sha2-nistp256
[Touch-packages] [Bug 1938144] Re: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange
Dmitry Belyavskiy proposed a patch for this issue at https://github.com/openssh-gsskex/openssh-gsskex/pull/21. I created a PPA with the proposed fix at https://launchpad.net/~athos- ribeiro/+archive/ubuntu/openssh-gssapi-fix/+packages and I can confirm it does fix the reproducer proposed in this bug. Moreover, running the server with /usr/sbin/sshd -d -p -f /dev/null -o GSSAPIKeyExchange=yes -o GSSAPIAuthentication=yes -o PasswordAuthentication=yes -o PermitRootLogin=yes And logging in as root, will prompt for the root password and get you a proper ssh connection. Finally, I also ran the available openssh dep8 test suite to ensure the patch would not introduce covered regrerssions. autopkgtest [17:57:18]: summary regress PASS Niklas, it would be really nice if you could also test the proposed patch to confirm it does fix the reported issue. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1938144 Title: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Triaged Bug description: I'm using openssh 1:8.2p1-4ubuntu0.2 on Ubuntu 20.04.2 LTS (client and server) with the option "GSSAPIKeyExchange=yes", and this causes the connection to fail. The server has GSSAPI (Kerberos authentication) enabled, but is is only used for non-root users (root uses SSH keys). Client command: ssh -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex root@server -v -p -o GSSAPIKeyExchange=yes Client log: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /home/user/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to compute-test [130.75.80.46] port . debug1: Connection established. debug1: identity file /home/rother/.ssh/id_rsa type 0 debug1: identity file /home/rother/.ssh/id_rsa-cert type -1 debug1: identity file /home/rother/.ssh/id_dsa type -1 debug1: identity file /home/rother/.ssh/id_dsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa type -1 debug1: identity file /home/rother/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519 type -1 debug1: identity file /home/rother/.ssh/id_ed25519-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_xmss type -1 debug1: identity file /home/rother/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x0400 debug1: Authenticating to server: as 'root' debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q== debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: Doing group exchange debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_COMPLETE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Rekey has happened - updating saved versions debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/rother/.ssh/id_rsa RSA SHA256:n/EY/cGjgd/r+7JpuqODxIotHHLsYptGXYx9GlKCWSM agent debug1: Will attempt key: /home/rother/.ssh/root_id_rsa RSA SHA256:yCLAID9FMILharHmDpCB8wW8eiA+iHa4oQKLODbbzKw agent debug1: Will attempt key: /home/user/.ssh/id_dsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/user/.ssh/id_ed25519 debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk debug1: Will attempt key: /home/user/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-si
[Touch-packages] [Bug 1923845] Re: Please compress packages with zstd by default
dh-cmake currently FTBFS [1]. While investigating the issue, I realized that, now dpkg-deb defaults to compressing with zstd, python-debian can no longer decompress the compressed data into the binary package archive. I am proposing a patch for python-debian in the following MP: https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/python- debian/+git/python-debian/+merge/407413 A PPA with the proposed fix is available at https://launchpad.net/~athos-ribeiro/+archive/ubuntu/lp-1923845-python- debian/+packages [1] https://launchpadlibrarian.net/552708462/buildlog_ubuntu-impish- amd64.dh-cmake_0.6.1_BUILDING.txt.gz -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to file in Ubuntu. https://bugs.launchpad.net/bugs/1923845 Title: Please compress packages with zstd by default Status in appstream-glib package in Ubuntu: New Status in apt package in Ubuntu: Fix Released Status in aptly package in Ubuntu: New Status in boinc package in Ubuntu: New Status in busybox package in Ubuntu: New Status in cdebootstrap package in Ubuntu: New Status in cdist package in Ubuntu: New Status in debdelta package in Ubuntu: New Status in debian-el package in Ubuntu: New Status in debootstrap package in Ubuntu: Fix Released Status in debsig-verify package in Ubuntu: New Status in debsigs package in Ubuntu: New Status in diffoscope package in Ubuntu: Fix Released Status in dpkg package in Ubuntu: Fix Released Status in dpkg-sig package in Ubuntu: New Status in file package in Ubuntu: New Status in hello package in Ubuntu: Fix Released Status in libsolv package in Ubuntu: New Status in lintian package in Ubuntu: Fix Released Status in lutris package in Ubuntu: New Status in obs-build package in Ubuntu: New Status in osc package in Ubuntu: New Status in python-debian package in Ubuntu: New Status in radare2 package in Ubuntu: New Status in reprepro package in Ubuntu: Fix Released Status in vim-scripts package in Ubuntu: New Status in zeroinstall-injector package in Ubuntu: New Status in reprepro source package in Focal: Fix Released Status in reprepro source package in Groovy: Fix Released Status in reprepro source package in Hirsute: Fix Released Status in debian-el package in Debian: New Bug description: https://people.canonical.com/~rbalint/zstd-debs/ contains a .deb built on Hirsute having both data and control members of the .deb being compressed with zstd. It can be handy for testing various tools. [dpkg] Decompression support in dpkg landed first in Bionic and is being SRUd to Xenial in LP: #1764220 enable Launchpad's Xenial systems to process the zstd-compressed binary packages. From dpkg's perspective the upgrade path is cleared. The original plan was compressing only the internal data.tar .deb member, but dpkg uses uniform compression by default since dpkg 1.19.0 thus I'm collecting all the changes to support control.tar.zst, too, in this bug. Reviewed packages from: https://codesearch.debian.net/search?q=data.tar.xz=1=1 https://codesearch.debian.net/search?q=control.tar.xz=1=1 appstream-glib - needs fix: libappstream-builder/asb-package-deb.c aptly - needs fix: deb/deb.go boinc - needs fix: debian/fetch_example_applications.sh busybox - needs fix: archival/dpkg_deb.c archival/dpkg.c cdebootstrap- needs fix: src/package.c cdist - may need fix, can use dpkg-deb: cdist/preos/debootstrap/files/devuan-debootstrap/functions debdelta- needs fix: debdelta debpatch.sh debian-el - needs fix: deb-view.el debian-handbook - needs fix, maybe later, for Debian debootstrap - needs fix, https://salsa.debian.org/installer-team/debootstrap/-/merge_requests/54 debsigs - needs fix, debsigs debsig-verify - needs fix, src/debsig-verify.c diffoscope - needs fix, diffoscope/comparators/deb.py dpkg- needs fix, change default dpkg-sig- needs fix, dpkg-sig dpmb- needs fix, maybe later, for Debian elfutils- may need fix, uses dpkg-deb if it is available, does not handle .gz either file- needs fix, magic/Magdir/archive libsolv - needs fix, ext/repo_deb.c lintian - needs fix malformed-deb-archive lutris - needs fix, lutris/util/extract.py obs-build - needs fix Build/Deb.pm osc - needs fix osc/util/debquery.py control.tar.zst only python-apt - needs fix apt_inst.DebFile("glibc-doc-reference_2.33-0ubuntu2~zstd1_all.deb").control.extractall() radare2 - needs fix reprepro- needs fix, debfile.c vim-scripts - needs fix debPlugin/autoload/deb.vim winetricks - needs fix when Debian switches src/winetricks zeroinstall-injector - needs fix src/zeroinstall/archive.ml acr - skip, does not _have to_ be f
[Touch-packages] [Bug 1923845] Re: Please compress packages with zstd by default
** Also affects: python-debian (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to file in Ubuntu. https://bugs.launchpad.net/bugs/1923845 Title: Please compress packages with zstd by default Status in appstream-glib package in Ubuntu: New Status in apt package in Ubuntu: Fix Released Status in aptly package in Ubuntu: New Status in boinc package in Ubuntu: New Status in busybox package in Ubuntu: New Status in cdebootstrap package in Ubuntu: New Status in cdist package in Ubuntu: New Status in debdelta package in Ubuntu: New Status in debian-el package in Ubuntu: New Status in debootstrap package in Ubuntu: Fix Released Status in debsig-verify package in Ubuntu: New Status in debsigs package in Ubuntu: New Status in diffoscope package in Ubuntu: Fix Released Status in dpkg package in Ubuntu: Fix Released Status in dpkg-sig package in Ubuntu: New Status in file package in Ubuntu: New Status in hello package in Ubuntu: Fix Released Status in libsolv package in Ubuntu: New Status in lintian package in Ubuntu: Fix Released Status in lutris package in Ubuntu: New Status in obs-build package in Ubuntu: New Status in osc package in Ubuntu: New Status in python-debian package in Ubuntu: New Status in radare2 package in Ubuntu: New Status in reprepro package in Ubuntu: Fix Released Status in vim-scripts package in Ubuntu: New Status in zeroinstall-injector package in Ubuntu: New Status in reprepro source package in Focal: Fix Released Status in reprepro source package in Groovy: Fix Released Status in reprepro source package in Hirsute: Fix Released Status in debian-el package in Debian: New Bug description: https://people.canonical.com/~rbalint/zstd-debs/ contains a .deb built on Hirsute having both data and control members of the .deb being compressed with zstd. It can be handy for testing various tools. [dpkg] Decompression support in dpkg landed first in Bionic and is being SRUd to Xenial in LP: #1764220 enable Launchpad's Xenial systems to process the zstd-compressed binary packages. From dpkg's perspective the upgrade path is cleared. The original plan was compressing only the internal data.tar .deb member, but dpkg uses uniform compression by default since dpkg 1.19.0 thus I'm collecting all the changes to support control.tar.zst, too, in this bug. Reviewed packages from: https://codesearch.debian.net/search?q=data.tar.xz=1=1 https://codesearch.debian.net/search?q=control.tar.xz=1=1 appstream-glib - needs fix: libappstream-builder/asb-package-deb.c aptly - needs fix: deb/deb.go boinc - needs fix: debian/fetch_example_applications.sh busybox - needs fix: archival/dpkg_deb.c archival/dpkg.c cdebootstrap- needs fix: src/package.c cdist - may need fix, can use dpkg-deb: cdist/preos/debootstrap/files/devuan-debootstrap/functions debdelta- needs fix: debdelta debpatch.sh debian-el - needs fix: deb-view.el debian-handbook - needs fix, maybe later, for Debian debootstrap - needs fix, https://salsa.debian.org/installer-team/debootstrap/-/merge_requests/54 debsigs - needs fix, debsigs debsig-verify - needs fix, src/debsig-verify.c diffoscope - needs fix, diffoscope/comparators/deb.py dpkg- needs fix, change default dpkg-sig- needs fix, dpkg-sig dpmb- needs fix, maybe later, for Debian elfutils- may need fix, uses dpkg-deb if it is available, does not handle .gz either file- needs fix, magic/Magdir/archive libsolv - needs fix, ext/repo_deb.c lintian - needs fix malformed-deb-archive lutris - needs fix, lutris/util/extract.py obs-build - needs fix Build/Deb.pm osc - needs fix osc/util/debquery.py control.tar.zst only python-apt - needs fix apt_inst.DebFile("glibc-doc-reference_2.33-0ubuntu2~zstd1_all.deb").control.extractall() radare2 - needs fix reprepro- needs fix, debfile.c vim-scripts - needs fix debPlugin/autoload/deb.vim winetricks - needs fix when Debian switches src/winetricks zeroinstall-injector - needs fix src/zeroinstall/archive.ml acr - skip, does not _have to_ be fixed, just creates packages, see dist/deb_hand.mak alien - skip, uses dpkg-deb to extract .deb ansible - not affected, just test data in dbdata.tar.xz anthy - not affected, just changelog entry apt - seems fixed already ceph- not affected in Ubuntu's version circlator - not affected, just test data cowdancer - not affected, just documentation eccodes - skip, just orig-data.tar.xz eckit - skip, just ...orig-data.tar.xz firefox - skip,
[Touch-packages] [Bug 1938144] Re: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange
** Also affects: openssh via https://github.com/openssh-gsskex/openssh-gsskex/issues/20 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1938144 Title: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Triaged Bug description: I'm using openssh 1:8.2p1-4ubuntu0.2 on Ubuntu 20.04.2 LTS (client and server) with the option "GSSAPIKeyExchange=yes", and this causes the connection to fail. The server has GSSAPI (Kerberos authentication) enabled, but is is only used for non-root users (root uses SSH keys). Client command: ssh -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex root@server -v -p -o GSSAPIKeyExchange=yes Client log: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /home/user/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to compute-test [130.75.80.46] port . debug1: Connection established. debug1: identity file /home/rother/.ssh/id_rsa type 0 debug1: identity file /home/rother/.ssh/id_rsa-cert type -1 debug1: identity file /home/rother/.ssh/id_dsa type -1 debug1: identity file /home/rother/.ssh/id_dsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa type -1 debug1: identity file /home/rother/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519 type -1 debug1: identity file /home/rother/.ssh/id_ed25519-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_xmss type -1 debug1: identity file /home/rother/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x0400 debug1: Authenticating to server: as 'root' debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q== debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: Doing group exchange debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_COMPLETE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Rekey has happened - updating saved versions debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/rother/.ssh/id_rsa RSA SHA256:n/EY/cGjgd/r+7JpuqODxIotHHLsYptGXYx9GlKCWSM agent debug1: Will attempt key: /home/rother/.ssh/root_id_rsa RSA SHA256:yCLAID9FMILharHmDpCB8wW8eiA+iHa4oQKLODbbzKw agent debug1: Will attempt key: /home/user/.ssh/id_dsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/user/.ssh/id_ed25519 debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk debug1: Will attempt key: /home/user/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Delegating credentials debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex Connection closed by 1.2.3.4 port Server log: debug1: sshd version OpenSSH_8.2, OpenSSL 1.1.1f 31 Mar 2020 debug1: private host key #0: ssh-rsa SHA256:REDACTED debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:REDACTED debug1: private host key #2:
[Touch-packages] [Bug 1938144] Re: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange
The issue is reproducible in the latest published versions of openssh carrying the patches in https://github.com/openssh-gsskex/openssh-gsskex for Ubuntu (impish), Debian (unstable), and Fedora (rawhide). I filed a bug report in https://github.com/openssh-gsskex/openssh- gsskex/issues/20 to make sure the gsskex patch upstream is aware of this issue. ** Bug watch added: github.com/openssh-gsskex/openssh-gsskex/issues #20 https://github.com/openssh-gsskex/openssh-gsskex/issues/20 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1938144 Title: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Triaged Bug description: I'm using openssh 1:8.2p1-4ubuntu0.2 on Ubuntu 20.04.2 LTS (client and server) with the option "GSSAPIKeyExchange=yes", and this causes the connection to fail. The server has GSSAPI (Kerberos authentication) enabled, but is is only used for non-root users (root uses SSH keys). Client command: ssh -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex root@server -v -p -o GSSAPIKeyExchange=yes Client log: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /home/user/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to compute-test [130.75.80.46] port . debug1: Connection established. debug1: identity file /home/rother/.ssh/id_rsa type 0 debug1: identity file /home/rother/.ssh/id_rsa-cert type -1 debug1: identity file /home/rother/.ssh/id_dsa type -1 debug1: identity file /home/rother/.ssh/id_dsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa type -1 debug1: identity file /home/rother/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519 type -1 debug1: identity file /home/rother/.ssh/id_ed25519-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_xmss type -1 debug1: identity file /home/rother/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x0400 debug1: Authenticating to server: as 'root' debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q== debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: Doing group exchange debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_COMPLETE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Rekey has happened - updating saved versions debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/rother/.ssh/id_rsa RSA SHA256:n/EY/cGjgd/r+7JpuqODxIotHHLsYptGXYx9GlKCWSM agent debug1: Will attempt key: /home/rother/.ssh/root_id_rsa RSA SHA256:yCLAID9FMILharHmDpCB8wW8eiA+iHa4oQKLODbbzKw agent debug1: Will attempt key: /home/user/.ssh/id_dsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/user/.ssh/id_ed25519 debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk debug1: Will attempt key: /home/user/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Delegating credentials debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Authentications that can continue:
[Touch-packages] [Bug 1938144] Re: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange
Hi Niklas, Thanks for putting in the effort into finding a reproducer for the reported issue. I could indeed reproduce the issue you have been experiencing. I am attaching a couple scripts to aid others to reproduce the bug (this includes a README file with further instructions). Interestingly, if you swap the preferred authentications order to read PreferredAuthentications=gssapi-keyex,gssapi-with-mic The bug will not manifest itself. Next, I will verify if other branches at https://github.com/openssh- gsskex/openssh-gsskex are also affected. If this is the case, we should report the issue there. ** Attachment added: "reproducer.tar.gz" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1938144/+attachment/5516128/+files/reproducer.tar.gz ** Changed in: openssh (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1938144 Title: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange Status in openssh package in Ubuntu: Triaged Bug description: I'm using openssh 1:8.2p1-4ubuntu0.2 on Ubuntu 20.04.2 LTS (client and server) with the option "GSSAPIKeyExchange=yes", and this causes the connection to fail. The server has GSSAPI (Kerberos authentication) enabled, but is is only used for non-root users (root uses SSH keys). Client command: ssh -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex root@server -v -p -o GSSAPIKeyExchange=yes Client log: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /home/user/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to compute-test [130.75.80.46] port . debug1: Connection established. debug1: identity file /home/rother/.ssh/id_rsa type 0 debug1: identity file /home/rother/.ssh/id_rsa-cert type -1 debug1: identity file /home/rother/.ssh/id_dsa type -1 debug1: identity file /home/rother/.ssh/id_dsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa type -1 debug1: identity file /home/rother/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519 type -1 debug1: identity file /home/rother/.ssh/id_ed25519-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_xmss type -1 debug1: identity file /home/rother/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x0400 debug1: Authenticating to server: as 'root' debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q== debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: Doing group exchange debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_COMPLETE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Rekey has happened - updating saved versions debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/rother/.ssh/id_rsa RSA SHA256:n/EY/cGjgd/r+7JpuqODxIotHHLsYptGXYx9GlKCWSM agent debug1: Will attempt key: /home/rother/.ssh/root_id_rsa RSA SHA256:yCLAID9FMILharHmDpCB8wW8eiA+iHa4oQKLODbbzKw agent debug1: Will attempt key: /home/user/.ssh/id_dsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/user/.ssh/id_ed25519 debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk debug1: Will attempt key: /home/user/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue:
[Touch-packages] [Bug 1905285] Re: socket-activated sshd breaks on concurrent connections
I verified the fixes by following the steps in the test plan described above by using the attached script on both focal and hirsute LXC containers. The tests show that the patch successfully fixes the described issue. ** Attachment added: "reproduce.sh" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1905285/+attachment/5515564/+files/reproduce.sh ** Tags removed: verification-needed verification-needed-focal verification-needed-hirsute ** Tags added: verification-done verification-done-focal verification-done-hirsute -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1905285 Title: socket-activated sshd breaks on concurrent connections Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Focal: Fix Committed Status in openssh source package in Hirsute: Fix Committed Bug description: [Impact] Users of the systemd socket activated ssh service may experience a race condition that may lead an ssh instance to fail. The race condition happens when, for a running socket activated ssh service, an instance A is started, creating the RuntimeDirectory for the service; then an instance B is started, relying on the RuntimeDirectory created for instance A; then instance A halts, causing the RuntimeDirectory to be deleted. If, at this point, instance B has not chrooted into RuntimeDirectory yet, then instance B will fail. The proposed patch fixes the issue by preserving the RuntimeDirectory after an instance A of the socket activated ssh service halts. [Test Plan] 1) Stop any running instances of ssh. `systemctl stop ssh` 2) Start the socket activated ssh service. `systemctl start ssh.socket` 3) Verify that no errors related to ssh were logged in /var/log/auth.log `cat /var/log/auth.log | grep 'sshd.*fatal.*chroot.*No such file or directory'` 4) perform several ssh connections to the running server in a short time span. ssh-keyscan may help here. `ssh-keyscan localhost` 5) Verify that errors related to ssh were logged in /var/log/auth.log `cat /var/log/auth.log | grep 'sshd.*fatal.*chroot.*No such file or directory'` 6) Apply the proposed fix (make sure the socket activated service is restarted) 7) repead step (4), then verify that no new entries were appended to the step (5) output [Where problems could occur] If the changes to the socket activated unit file are wrong, the socket activated service may fail to start after the package upgrade. In this case, we would need to instruct users to perform local changes to the unit file with possible additional fixes while a new version of the patch lands. [racb] There might be cases where users are inadvertently depending on the cleanup that will now be disabled - for example by a bug or misconfiguration that would result in /run filling up otherwise. By disabling systemd cleanup and relying solely on openssh for cleanup, such a bug or misconfiguration may be exposed and cause problems on such systems. [Other Info] This fix has been forwarded to Debian and accepted in https://salsa.debian.org/ssh-team/openssh/-/merge_requests/12 [Original message] This is mostly the same issue as https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=934663. With the default configuration of openssh-server and systemd, sshd will complain and crash when multiple connections are made and terminated in a quick succession, e.g. with `ssh-keyscan`. It results in the following errors in /var/log/auth.log: ``` Nov 22 20:53:34 {host} sshd[14567]: Unable to negotiate with {client} port 41460: no matching host key type found. Their offer: sk-ecdsa-sha2-nistp...@openssh.com [preauth] Nov 22 20:53:34 {host} sshd[14570]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:34 {host} sshd[14569]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:34 {host} sshd[14568]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:34 {host} sshd[14566]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:47 {host} sshd[14584]: Connection closed by {client} port 59312 [preauth] Nov 22 20:53:47 {host} sshd[14586]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:48 {host} sshd[14585]: fatal: chroot("/run/sshd"): No such file or directory [preauth] ``` as well as e.g. missing responses in ssh-keyscan: ``` $ ssh-keyscan -vvv {host} debug2: fd 3 setting O_NONBLOCK debug3: conalloc: oname {host} kt 2 debug2: fd 4 setting O_NONBLOCK debug3: conalloc: oname {host} kt 4 debug2: fd 5 setting O_NONBLOCK debug3: conalloc: oname {host} kt 8 debug2: fd 6 setting O_NONBLOCK debug3: conalloc: oname {host} kt 32 debug2: fd 7 setting O_NONBLOCK debug3:
[Touch-packages] [Bug 1938144] Re: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange
Hello Niklas, Thank you for taking the time to file a bug report. While the symptoms experienced here seem similar to the ones reported in https://bugzilla.redhat.com/show_bug.cgi?id=1162620, the patch that fixed the latter is present in the version of the package for which you reported the issue. Therefore, would you mind providing additional information, such as configuration files? More importantly, we would be interested in a reproducer for the issue. Can you reproduce it without using ansible? Since there is not enough information in your report to begin triage or to differentiate between a local configuration problem and a bug in Ubuntu, I am marking this bug as "Incomplete". We would be grateful if you would: provide a more complete description of the problem, explain why you believe this is a bug in Ubuntu rather than a problem specific to your system, and then change the bug status back to "New". For local configuration issues, you can find assistance here: http://www.ubuntu.com/support/communit ** Bug watch added: Red Hat Bugzilla #1162620 https://bugzilla.redhat.com/show_bug.cgi?id=1162620 ** Changed in: openssh (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1938144 Title: monitor_read: unpermitted request 48 on server while attempting GSSAPI key exchange Status in openssh package in Ubuntu: Incomplete Bug description: I'm using openssh 1:8.2p1-4ubuntu0.2 on Ubuntu 20.04.2 LTS (client and server) with the option "GSSAPIKeyExchange=yes", and this causes the connection to fail. The server has GSSAPI (Kerberos authentication) enabled, but is is only used for non-root users (root uses SSH keys). Client command: ssh -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex root@server -v -p -o GSSAPIKeyExchange=yes Client log: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /home/user/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to compute-test [130.75.80.46] port . debug1: Connection established. debug1: identity file /home/rother/.ssh/id_rsa type 0 debug1: identity file /home/rother/.ssh/id_rsa-cert type -1 debug1: identity file /home/rother/.ssh/id_dsa type -1 debug1: identity file /home/rother/.ssh/id_dsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa type -1 debug1: identity file /home/rother/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/rother/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519 type -1 debug1: identity file /home/rother/.ssh/id_ed25519-cert type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk type -1 debug1: identity file /home/rother/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/rother/.ssh/id_xmss type -1 debug1: identity file /home/rother/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x0400 debug1: Authenticating to server: as 'root' debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q== debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: compression: none debug1: Doing group exchange debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_COMPLETE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Rekey has happened - updating saved versions debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/rother/.ssh/id_rsa RSA SHA256:n/EY/cGjgd/r+7JpuqODxIotHHLsYptGXYx9GlKCWSM agent debug1: Will attempt key: /home/rother/.ssh/root_id_rsa RSA SHA256:yCLAID9FMILharHmDpCB8wW8eiA+iHa4oQKLODbbzKw agent debug1: Will attempt key: /home/user/.ssh/id_dsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk
[Touch-packages] [Bug 1905285] Re: socket-activated sshd breaks on concurrent connections
Thanks, Robie! I proposed a patch for hirsute which was already uploaded. ** Changed in: openssh (Ubuntu Hirsute) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1905285 Title: socket-activated sshd breaks on concurrent connections Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Focal: In Progress Status in openssh source package in Hirsute: In Progress Bug description: [Impact] Users of the systemd socket activated ssh service may experience a race condition that may lead an ssh instance to fail. The race condition happens when, for a running socket activated ssh service, an instance A is started, creating the RuntimeDirectory for the service; then an instance B is started, relying on the RuntimeDirectory created for instance A; then instance A halts, causing the RuntimeDirectory to be deleted. If, at this point, instance B has not chrooted into RuntimeDirectory yet, then instance B will fail. The proposed patch fixes the issue by preserving the RuntimeDirectory after an instance A of the socket activated ssh service halts. [Test Plan] 1) Stop any running instances of ssh. `systemctl stop ssh` 2) Start the socket activated ssh service. `systemctl start ssh.socket` 3) Verify that no errors related to ssh were logged in /var/log/auth.log `cat /var/log/auth.log | grep 'sshd.*fatal.*chroot.*No such file or directory'` 4) perform several ssh connections to the running server in a short time span. ssh-keyscan may help here. `ssh-keyscan localhost` 5) Verify that errors related to ssh were logged in /var/log/auth.log `cat /var/log/auth.log | grep 'sshd.*fatal.*chroot.*No such file or directory'` 6) Apply the proposed fix (make sure the socket activated service is restarted) 7) repead step (4), then verify that no new entries were appended to the step (5) output [Where problems could occur] If the changes to the socket activated unit file are wrong, the socket activated service may fail to start after the package upgrade. In this case, we would need to instruct users to perform local changes to the unit file with possible additional fixes while a new version of the patch lands. [racb] There might be cases where users are inadvertently depending on the cleanup that will now be disabled - for example by a bug or misconfiguration that would result in /run filling up otherwise. By disabling systemd cleanup and relying solely on openssh for cleanup, such a bug or misconfiguration may be exposed and cause problems on such systems. [Other Info] This fix has been forwarded to Debian and accepted in https://salsa.debian.org/ssh-team/openssh/-/merge_requests/12 [Original message] This is mostly the same issue as https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=934663. With the default configuration of openssh-server and systemd, sshd will complain and crash when multiple connections are made and terminated in a quick succession, e.g. with `ssh-keyscan`. It results in the following errors in /var/log/auth.log: ``` Nov 22 20:53:34 {host} sshd[14567]: Unable to negotiate with {client} port 41460: no matching host key type found. Their offer: sk-ecdsa-sha2-nistp...@openssh.com [preauth] Nov 22 20:53:34 {host} sshd[14570]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:34 {host} sshd[14569]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:34 {host} sshd[14568]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:34 {host} sshd[14566]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:47 {host} sshd[14584]: Connection closed by {client} port 59312 [preauth] Nov 22 20:53:47 {host} sshd[14586]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:48 {host} sshd[14585]: fatal: chroot("/run/sshd"): No such file or directory [preauth] ``` as well as e.g. missing responses in ssh-keyscan: ``` $ ssh-keyscan -vvv {host} debug2: fd 3 setting O_NONBLOCK debug3: conalloc: oname {host} kt 2 debug2: fd 4 setting O_NONBLOCK debug3: conalloc: oname {host} kt 4 debug2: fd 5 setting O_NONBLOCK debug3: conalloc: oname {host} kt 8 debug2: fd 6 setting O_NONBLOCK debug3: conalloc: oname {host} kt 32 debug2: fd 7 setting O_NONBLOCK debug3: conalloc: oname {host} kt 64 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x0400 # {host}:22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms:
[Touch-packages] [Bug 1905285] Re: socket-activated sshd breaks on concurrent connections
** Also affects: openssh (Ubuntu Hirsute) Importance: Undecided Status: New ** Changed in: openssh (Ubuntu Hirsute) Assignee: (unassigned) => Athos Ribeiro (athos-ribeiro) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1905285 Title: socket-activated sshd breaks on concurrent connections Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Focal: In Progress Status in openssh source package in Hirsute: New Bug description: [Impact] Users of the systemd socket activated ssh service may experience a race condition that may lead an ssh instance to fail. The race condition happens when, for a running socket activated ssh service, an instance A is started, creating the RuntimeDirectory for the service; then an instance B is started, relying on the RuntimeDirectory created for instance A; then instance A halts, causing the RuntimeDirectory to be deleted. If, at this point, instance B has not chrooted into RuntimeDirectory yet, then instance B will fail. The proposed patch fixes the issue by preserving the RuntimeDirectory after an instance A of the socket activated ssh service halts. [Test Plan] 1) Stop any running instances of ssh. `systemctl stop ssh` 2) Start the socket activated ssh service. `systemctl start ssh.socket` 3) Verify that no errors related to ssh were logged in /var/log/auth.log `cat /var/log/auth.log | grep 'sshd.*fatal.*chroot.*No such file or directory'` 4) perform several ssh connections to the running server in a short time span. ssh-keyscan may help here. `ssh-keyscan localhost` 5) Verify that errors related to ssh were logged in /var/log/auth.log `cat /var/log/auth.log | grep 'sshd.*fatal.*chroot.*No such file or directory'` 6) Apply the proposed fix (make sure the socket activated service is restarted) 7) repead step (4), then verify that no new entries were appended to the step (5) output [Where problems could occur] If the changes to the socket activated unit file are wrong, the socket activated service may fail to start after the package upgrade. In this case, we would need to instruct users to perform local changes to the unit file with possible additional fixes while a new version of the patch lands. [racb] There might be cases where users are inadvertently depending on the cleanup that will now be disabled - for example by a bug or misconfiguration that would result in /run filling up otherwise. By disabling systemd cleanup and relying solely on openssh for cleanup, such a bug or misconfiguration may be exposed and cause problems on such systems. [Other Info] This fix has been forwarded to Debian and accepted in https://salsa.debian.org/ssh-team/openssh/-/merge_requests/12 [Original message] This is mostly the same issue as https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=934663. With the default configuration of openssh-server and systemd, sshd will complain and crash when multiple connections are made and terminated in a quick succession, e.g. with `ssh-keyscan`. It results in the following errors in /var/log/auth.log: ``` Nov 22 20:53:34 {host} sshd[14567]: Unable to negotiate with {client} port 41460: no matching host key type found. Their offer: sk-ecdsa-sha2-nistp...@openssh.com [preauth] Nov 22 20:53:34 {host} sshd[14570]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:34 {host} sshd[14569]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:34 {host} sshd[14568]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:34 {host} sshd[14566]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:47 {host} sshd[14584]: Connection closed by {client} port 59312 [preauth] Nov 22 20:53:47 {host} sshd[14586]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:48 {host} sshd[14585]: fatal: chroot("/run/sshd"): No such file or directory [preauth] ``` as well as e.g. missing responses in ssh-keyscan: ``` $ ssh-keyscan -vvv {host} debug2: fd 3 setting O_NONBLOCK debug3: conalloc: oname {host} kt 2 debug2: fd 4 setting O_NONBLOCK debug3: conalloc: oname {host} kt 4 debug2: fd 5 setting O_NONBLOCK debug3: conalloc: oname {host} kt 8 debug2: fd 6 setting O_NONBLOCK debug3: conalloc: oname {host} kt 32 debug2: fd 7 setting O_NONBLOCK debug3: conalloc: oname {host} kt 64 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x0400 # {host}:22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received
[Touch-packages] [Bug 1905285] Re: socket-activated sshd breaks on concurrent connections
** Changed in: openssh (Ubuntu Focal) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1905285 Title: socket-activated sshd breaks on concurrent connections Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Focal: In Progress Bug description: [Impact] Users of the systemd socket activated ssh service may experience a race condition that may lead an ssh instance to fail. The race condition happens when, for a running socket activated ssh service, an instance A is started, creating the RuntimeDirectory for the service; then an instance B is started, relying on the RuntimeDirectory created for instance A; then instance A halts, causing the RuntimeDirectory to be deleted. If, at this point, instance B has not chrooted into RuntimeDirectory yet, then instance B will fail. The proposed patch fixes the issue by preserving the RuntimeDirectory after an instance A of the socket activated ssh service halts. [Test Plan] 1) Stop any running instances of ssh. `systemctl stop ssh` 2) Start the socket activated ssh service. `systemctl start ssh.socket` 3) Verify that no errors related to ssh were logged in /var/log/auth.log `cat /var/log/auth.log | grep 'sshd.*fatal.*chroot.*No such file or directory'` 4) perform several ssh connections to the running server in a short time span. ssh-keyscan may help here. `ssh-keyscan localhost` 5) Verify that errors related to ssh were logged in /var/log/auth.log `cat /var/log/auth.log | grep 'sshd.*fatal.*chroot.*No such file or directory'` 6) Apply the proposed fix (make sure the socket activated service is restarted) 7) repead step (4), then verify that no new entries were appended to the step (5) output [Where problems could occur] If the changes to the socket activated unit file are wrong, the socket activated service may fail to start after the package upgrade. In this case, we would need to instruct users to perform local changes to the unit file with possible additional fixes while a new version of the patch lands. [Other Info] This fix has been forwarded to Debian and accepted in https://salsa.debian.org/ssh-team/openssh/-/merge_requests/12 [Original message] This is mostly the same issue as https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=934663. With the default configuration of openssh-server and systemd, sshd will complain and crash when multiple connections are made and terminated in a quick succession, e.g. with `ssh-keyscan`. It results in the following errors in /var/log/auth.log: ``` Nov 22 20:53:34 {host} sshd[14567]: Unable to negotiate with {client} port 41460: no matching host key type found. Their offer: sk-ecdsa-sha2-nistp...@openssh.com [preauth] Nov 22 20:53:34 {host} sshd[14570]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:34 {host} sshd[14569]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:34 {host} sshd[14568]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:34 {host} sshd[14566]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:47 {host} sshd[14584]: Connection closed by {client} port 59312 [preauth] Nov 22 20:53:47 {host} sshd[14586]: fatal: chroot("/run/sshd"): No such file or directory [preauth] Nov 22 20:53:48 {host} sshd[14585]: fatal: chroot("/run/sshd"): No such file or directory [preauth] ``` as well as e.g. missing responses in ssh-keyscan: ``` $ ssh-keyscan -vvv {host} debug2: fd 3 setting O_NONBLOCK debug3: conalloc: oname {host} kt 2 debug2: fd 4 setting O_NONBLOCK debug3: conalloc: oname {host} kt 4 debug2: fd 5 setting O_NONBLOCK debug3: conalloc: oname {host} kt 8 debug2: fd 6 setting O_NONBLOCK debug3: conalloc: oname {host} kt 32 debug2: fd 7 setting O_NONBLOCK debug3: conalloc: oname {host} kt 64 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x0400 # {host}:22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 debug2: host key algorithms: sk-ecdsa-sha2-nistp...@openssh.com debug2: ciphers ctos: chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com debug2: ciphers stoc:
[Touch-packages] [Bug 1905285] Re: socket-activated sshd breaks on concurrent connections
h.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,z...@openssh.com debug2: compression stoc: none,z...@openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com debug2: ciphers stoc: chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com debug2: MACs ctos: umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,z...@openssh.com debug2: compression stoc: none,z...@openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: (no match) debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x0400 # {host}:22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x0400 # {host}:22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x0400 # {host}:22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x0400 # {host}:22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent ``` The error is most likely caused by a race condition on removing /run/sshd, which is easily reproducible by ssh-keyscan. I noticed that depeding on client, I'd sometimes miss all keys, sometimes get one, sometimes more. Modifying the following files (they should me marked as modified in the bug report) seems to solve the issue, at least temporarily: /usr/lib/systemd/system/ssh.service /usr/lib/systemd/system/ssh@.service In both cases, I added `RuntimeDirectoryPreserve=yes` to the `[Service]` section, after `RuntimeDirectory=sshd`. This is the same solution mentioned in the Debian bug, although their bug report doesn't mention which service files are affected. This doesn't seem to be a proper long-term solution though, as it seems apt doesn't respect configuration files in /usr (or they are unlisted somewhere), because after upgrading system just before filing this bug report, the files got overwritten and reverted to their original form. I only got asked about the /etc/ssh/sshd_config, which I have chosen to keep. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssh-server 1:8.2p1-4ubuntu0.1 [modified: lib/systemd/system/ssh.service lib/systemd/system/ssh@.service] ProcVersionSignature: Ubuntu 5.4.0-54.60-generic 5.4.65 Uname: Linux 5.4.0-54-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.12 Architecture: amd64 CasperMD5CheckResult: skip Date: Mon Nov 23 15:09:32 2020 SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install) ** Also affects: openssh (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: openssh (Ubuntu Focal) Assignee: (unassigned) => Athos Ribeiro (athos-ribeiro) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1905285 Title: socket-activated sshd breaks on concurrent connections Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Focal: New Bug description: [Impact] Users of the systemd socket activated ssh service may experience a race condition that may lead an ssh instance to fail. The race condition happens when, for a running socket activated ssh service, an instance A is started, creat
[Touch-packages] [Bug 1898593] Re: Fix sphinx doc building
The lintian fixes are not fixed. We'd need to add a dependency on that JS lib. Should we split the bug or just reopen it? About the sphinx documentation, pre-built manpages are still being shipped, so I am not really sure if this would be a good candidate for an SRU. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1898593 Title: Fix sphinx doc building Status in cyrus-sasl2 package in Ubuntu: Fix Released Bug description: This basically the same bug as #1894907, but there I decided to disable docs rebuilding, after checking that none of the patches were against the docs source. Furthermore, we should probably fix these lintian issues: E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/developer.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/download.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/genindex.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/getsasl.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/index.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/operations.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/packager.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/search.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/setup.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/support.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2 source: source-is-missing doc/html/_static/jquery.js line length is 32014 characters (>512) E: cyrus-sasl2 source: source-is-missing doc/html/_static/js/modernizr.min.js E: cyrus-sasl2 source: source-is-missing doc/html/_static/underscore.js line length is 519 characters (>512) E: cyrus-sasl2 source: source-is-missing docsrc/exts/themes/cyrus/static/js/modernizr.min.js E: cyrus-sasl2 source: source-is-missing docsrc/exts/themes/sphinx_rtd_theme/static/js/modernizr.min.js To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1898593/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1898593] Re: Fix sphinx doc building
A fix was released in the latest impish sync (2.1.27+dfsg-2.1), where the sphinx builds were re-enabled. ** Also affects: cyrus-sasl2 (Ubuntu Impish) Importance: Medium Status: Triaged ** Also affects: cyrus-sasl2 (Ubuntu Hirsute) Importance: Undecided Status: New ** Also affects: cyrus-sasl2 (Ubuntu Groovy) Importance: Undecided Status: New ** Changed in: cyrus-sasl2 (Ubuntu Impish) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1898593 Title: Fix sphinx doc building Status in cyrus-sasl2 package in Ubuntu: Fix Released Status in cyrus-sasl2 source package in Groovy: New Status in cyrus-sasl2 source package in Hirsute: New Status in cyrus-sasl2 source package in Impish: Fix Released Bug description: This basically the same bug as #1894907, but there I decided to disable docs rebuilding, after checking that none of the patches were against the docs source. Furthermore, we should probably fix these lintian issues: E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/developer.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/download.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/genindex.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/getsasl.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/index.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/operations.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/packager.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/search.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/setup.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2-doc: privacy-breach-uses-embedded-file usr/share/doc/cyrus-sasl2-doc/support.html You may use the libjs-mathjax package. (https://cdn.mathjax.org/mathjax/latest/mathjax.js) E: cyrus-sasl2 source: source-is-missing doc/html/_static/jquery.js line length is 32014 characters (>512) E: cyrus-sasl2 source: source-is-missing doc/html/_static/js/modernizr.min.js E: cyrus-sasl2 source: source-is-missing doc/html/_static/underscore.js line length is 519 characters (>512) E: cyrus-sasl2 source: source-is-missing docsrc/exts/themes/cyrus/static/js/modernizr.min.js E: cyrus-sasl2 source: source-is-missing docsrc/exts/themes/sphinx_rtd_theme/static/js/modernizr.min.js To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1898593/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913810] Re: restart doesn't test for syntax errors
Ideally, this should be supported by systemd somehow. There is this (old) discussion upstream, which is relevant here: https://github.com/systemd/systemd/issues/2175 If we introduced the desired behavior by including an ExecStop script to the systemd unit configuration file, we would introduce a regression since stopping the service for erroneous configuration files would not be allowed (this was not the behavior for sysV). ** Bug watch added: github.com/systemd/systemd/issues #2175 https://github.com/systemd/systemd/issues/2175 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1913810 Title: restart doesn't test for syntax errors Status in openssh package in Ubuntu: Confirmed Bug description: Tested openssh on bionic and groovy, same issue. The switch to systemd lost the ability to do a sanity check on the config file (via sshd -t) before attempting to restart sshd. This was originally bug #624361 in the SySV days, fixed in the initscript back then. The sysv script still does it, but it's not used anymore: restart) check_privsep_dir check_config log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true And: check_config() { if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then /usr/sbin/sshd $SSHD_OPTS -t || exit 1 fi } The systemd service file has only ExecStartPre, which doesn't let it start if there is an error, but will happily stop it: [Unit] Description=OpenBSD Secure Shell server After=network.target auditd.service ConditionPathExists=!/etc/ssh/sshd_not_to_be_run [Service] EnvironmentFile=-/etc/default/ssh ExecStartPre=/usr/sbin/sshd -t ExecStart=/usr/sbin/sshd -D $SSHD_OPTS ExecReload=/usr/sbin/sshd -t ExecReload=/bin/kill -HUP $MAINPID ... Example: # sshd -t # systemctl restart sshd # telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 ^] telnet> quit Connection closed. # echo "syntax error" >> /etc/ssh/sshd_config # sshd -t /etc/ssh/sshd_config: line 123: Bad configuration option: syntax /etc/ssh/sshd_config: terminating, 1 bad configuration options # systemctl restart sshd Job for ssh.service failed because the control process exited with error code. See "systemctl status ssh.service" and "journalctl -xe" for details. # telnet localhost 22 Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused # To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1913810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp