[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
This bug was fixed in the package openssh - 1:8.9p1-3ubuntu0.7
---
openssh (1:8.9p1-3ubuntu0.7) jammy; urgency=medium
* d/p/gssapi.patch: fix method_gsskeyex structure and
userauth_gsskeyex function regarding changes introduced in upstream
commit dbb339f015c33d63484261d140c84ad875a9e548 ("prepare for
multiple names for authmethods") (LP: #2053146)
* d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic
and gssapi-keyex authentication methods
-- Andreas Hasenack Fri, 15 Mar 2024 17:28:22
-0300
** Changed in: openssh (Ubuntu Jammy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is
slightly wrong
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
This bug was fixed in the package openssh - 1:9.3p1-1ubuntu3.3
---
openssh (1:9.3p1-1ubuntu3.3) mantic; urgency=medium
* d/p/gssapi.patch: fix method_gsskeyex structure and
userauth_gsskeyex function regarding changes introduced in upstream
commit dbb339f015c33d63484261d140c84ad875a9e548 ("prepare for
multiple names for authmethods") (LP: #2053146)
* d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic
and gssapi-keyex authentication methods
-- Andreas Hasenack Fri, 15 Mar 2024 17:25:30
-0300
** Changed in: openssh (Ubuntu Mantic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is
slightly wrong
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
It's not clear to me if a simple "ssh -Snone localhost" is covered by the autopkgtests, so I did that manually, testing without -proposed first, and ensuring to run "sudo systemctl restart ssh" after upgrading to -proposed to ensure that I'm definitely hitting the daemon from -proposed. Success on: 1:8.9p1-3ubuntu0.7 on Jammy and 1:9.3p1-1ubuntu3.3 on Mantic. My commands were: lxc launch ubuntu:jammy foo lxc exec foo bash login -f ubuntu ssh-keygen # and set no passphrase cd .ssh cat id_rsa.pub >> authorized_keys ssh -Snone localhost exit sudo add-apt-repository -p proposed apt install -t jammy-proposed openssh-server sudo systemctl restart ssh ssh -Snone localhost exit apt policy openssh-server (and the equivalent for Mantic) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
Mantic verification In all architectures, except i386, the new test passed. Here is a log from the amd64 run[1]: 4333s autopkgtest [16:47:27]: test ssh-gssapi: [--- 4333s ## Setting up test environment 4333s ## Creating Kerberos realm EXAMPLE.FAKE 4333s Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.FAKE', 4333s master key name 'K/m...@example.fake' 4333s ## Creating principals 4333s Authenticating as principal root/ad...@example.fake with password. 4333s Principal "testuser1...@example.fake" created. 4333s Authenticating as principal root/ad...@example.fake with password. 4333s Principal "host/sshd-gssapi.example.f...@example.fake" created. 4333s ## Extracting service principal host/sshd-gssapi.example.fake 4333s Authenticating as principal root/ad...@example.fake with password. 4333s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. 4333s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. 4333s ## Adjusting /etc/krb5.conf 4333s ## TESTS 4333s 4333s ## TEST test_gssapi_login 4333s ## Configuring sshd for gssapi-with-mic authentication 4333s ## Restarting ssh 4333s ## Obtaining TGT 4333s Password for testuser1...@example.fake: 4333s Ticket cache: FILE:/tmp/krb5cc_0 4333s Default principal: testuser1...@example.fake 4333s 4333s Valid starting ExpiresService principal 4333s 04/05/24 16:47:27 04/06/24 02:47:27 krbtgt/example.f...@example.fake 4333s renew until 04/06/24 16:47:27 4333s 4333s ## ssh'ing into localhost using gssapi-with-mic auth 4333s Warning: Permanently added 'sshd-gssapi.example.fake' (ED25519) to the list of known hosts. 4334s Fri Apr 5 16:47:27 UTC 2024 4334s 4334s ## checking that we got a service ticket for ssh (host/) 4334s 04/05/24 16:47:27 04/06/24 02:47:27 host/sshd-gssapi.example.fake@ 4334s Ticket server: host/sshd-gssapi.example.f...@example.fake 4334s 4334s ## Checking ssh logs to confirm gssapi-with-mic auth was used 4334s Apr 05 16:47:27 sshd-gssapi.example.fake sshd[1688]: Accepted gssapi-with-mic for testuser1620 from 127.0.0.1 port 44922 ssh2: testuser1...@example.fake 4334s ## PASS test_gssapi_login 4334s 4334s ## TEST test_gssapi_keyex_login 4334s ## Configuring sshd for gssapi-keyex authentication 4334s ## Restarting ssh 4334s ## Obtaining TGT 4334s Password for testuser1...@example.fake: 4334s Ticket cache: FILE:/tmp/krb5cc_0 4334s Default principal: testuser1...@example.fake 4334s 4334s Valid starting ExpiresService principal 4334s 04/05/24 16:47:28 04/06/24 02:47:28 krbtgt/example.f...@example.fake 4334s renew until 04/06/24 16:47:28 4334s 4334s ## ssh'ing into localhost using gssapi-keyex auth 4334s Fri Apr 5 16:47:28 UTC 2024 4334s 4334s ## checking that we got a service ticket for ssh (host/) 4334s 04/05/24 16:47:28 04/06/24 02:47:28 host/sshd-gssapi.example.fake@ 4334s Ticket server: host/sshd-gssapi.example.f...@example.fake 4334s 4334s ## Checking ssh logs to confirm gssapi-keyex auth was used 4334s Apr 05 16:47:28 sshd-gssapi.example.fake sshd[1758]: Accepted gssapi-keyex for testuser1620 from 127.0.0.1 port 44930 ssh2: testuser1...@example.fake 4334s ## PASS test_gssapi_keyex_login 4334s 4334s ## ALL TESTS PASSED 4334s ## Cleaning up 4334s autopkgtest [16:47:28]: test ssh-gssapi: ---] 4335s ssh-gssapi PASS 4335s autopkgtest [16:47:29]: test ssh-gssapi: - - - - - - - - - - results - - - - - - - - - - 4335s autopkgtest [16:47:29]: summary 4335s regress PASS 4335s systemd-socket-activation PASS 4335s ssh-gssapi PASS Mantic verification succeeded. 1. https://autopkgtest.ubuntu.com/results/autopkgtest- mantic/mantic/amd64/o/openssh/20240405_164750_3a52b@/log.gz ** Tags removed: verification-needed-mantic ** Tags added: verification-done-mantic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
Jammy verification In all architectures (except i386, which is a known failure everywhere) the new ssh-gssapi test passed. Here is the run on amd64[1]: 3438s autopkgtest [16:33:21]: test ssh-gssapi: [--- 3438s ## Setting up test environment 3438s ## Creating Kerberos realm EXAMPLE.FAKE 3438s Loading random data 3438s Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.FAKE', 3438s master key name 'K/m...@example.fake' 3438s ## Creating principals 3438s Authenticating as principal root/ad...@example.fake with password. 3438s Principal "testuser1...@example.fake" created. 3438s Authenticating as principal root/ad...@example.fake with password. 3438s Principal "host/sshd-gssapi.example.f...@example.fake" created. 3438s ## Extracting service principal host/sshd-gssapi.example.fake 3438s Authenticating as principal root/ad...@example.fake with password. 3438s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. 3438s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. 3438s ## Adjusting /etc/krb5.conf 3438s ## TESTS 3438s 3438s ## TEST test_gssapi_login 3438s ## Configuring sshd for gssapi-with-mic authentication 3438s ## Restarting ssh 3438s ## Obtaining TGT 3438s Password for testuser1...@example.fake: 3438s Ticket cache: FILE:/tmp/krb5cc_0 3438s Default principal: testuser1...@example.fake 3438s 3438s Valid starting ExpiresService principal 3438s 04/05/24 16:33:20 04/06/24 02:33:20 krbtgt/example.f...@example.fake 3438s renew until 04/06/24 16:33:20 3438s 3438s ## ssh'ing into localhost using gssapi-with-mic auth 3438s Warning: Permanently added 'sshd-gssapi.example.fake' (ED25519) to the list of known hosts. 3439s Fri Apr 5 16:33:21 UTC 2024 3439s 3439s ## checking that we got a service ticket for ssh (host/) 3439s 04/05/24 16:33:21 04/06/24 02:33:20 host/sshd-gssapi.example.fake@ 3439s Ticket server: host/sshd-gssapi.example.f...@example.fake 3439s 3439s ## Checking ssh logs to confirm gssapi-with-mic auth was used 3439s Apr 05 16:33:21 sshd-gssapi.example.fake sshd[1518]: Accepted gssapi-with-mic for testuser1457 from 127.0.0.1 port 50668 ssh2: testuser1...@example.fake 3439s ## PASS test_gssapi_login 3439s 3439s ## TEST test_gssapi_keyex_login 3439s ## Configuring sshd for gssapi-keyex authentication 3439s ## Restarting ssh 3439s ## Obtaining TGT 3439s Password for testuser1...@example.fake: 3439s Ticket cache: FILE:/tmp/krb5cc_0 3439s Default principal: testuser1...@example.fake 3439s 3439s Valid starting ExpiresService principal 3439s 04/05/24 16:33:21 04/06/24 02:33:21 krbtgt/example.f...@example.fake 3439s renew until 04/06/24 16:33:21 3439s 3439s ## ssh'ing into localhost using gssapi-keyex auth 3439s Fri Apr 5 16:33:21 UTC 2024 3439s 3439s ## checking that we got a service ticket for ssh (host/) 3439s 04/05/24 16:33:21 04/06/24 02:33:21 host/sshd-gssapi.example.fake@ 3439s Ticket server: host/sshd-gssapi.example.f...@example.fake 3439s 3439s ## Checking ssh logs to confirm gssapi-keyex auth was used 3439s Apr 05 16:33:21 sshd-gssapi.example.fake sshd[1558]: Accepted gssapi-keyex for testuser1457 from 127.0.0.1 port 50670 ssh2: testuser1...@example.fake 3439s ## PASS test_gssapi_keyex_login 3439s 3439s ## ALL TESTS PASSED 3439s ## Cleaning up 3439s autopkgtest [16:33:22]: test ssh-gssapi: ---] 3439s autopkgtest [16:33:22]: test ssh-gssapi: - - - - - - - - - - results - - - - - - - - - - 3439s ssh-gssapi PASS 3440s autopkgtest [16:33:23]: summary 3440s regress PASS 3440s ssh-gssapi PASS Jammy verification succeeded. 1. https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/o/openssh/20240405_163345_c46fa@/log.gz ** Tags removed: verification-needed-jammy ** Tags added: verification-done-jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Description changed:
[ Impact ]
The gssapi-keyex authentication mechanism has been inadvertently broken
in openssh. It comes from a distro patch[1], and while the patch still
applied, it was no longer correct.
Without the fix, sshd will fail to start if gssapi-keyex is listed in
the AuthenticationMethods of the server, and if not, sshd will still
start, but gssapi-keyex will not be available.
-
[ Test Plan ]
This update adds a new autopkgtest to the package, which tests both
gssapi-with-mic ("normal" gssapi, which is not affected by this bug),
and gssapi-keyex, which, before this update, does not work.
The test plan is to run the new ssh-gssapi autopkgtest and verify it
succeeds.
-
[ Where problems could occur ]
ssh is a critical piece of infrastructure, and problems with it could
have catastrophic consequences. The service itself has a test command
before it starts up to verify the syntax of the config file, but that
test is not applied on shutdown, so a restart with an invalid config
file could still leave sshd dead.
The patch adds a change to an authentication structure, but that change
is already present in the upstream code, and we are just updating it in
the new gssapi-keyex code (introduced by the distro[1] patch, already
present). Therefore, mistakes here should manifest themselves just in
the gssapi-keyex code, which wasn't working anyway. Effectively, though,
we are enabling a new authentication mechanism in sshd, one that was not
supposed to have been removed, but was broken by mistake.
-
[ Other Info ]
The fact no-one noticed this problem for more than two years could be
telling that there are not many users of this authentication mechanism
out there. The same applies to debian: it has also been broken for a
while there. Maybe we should drop it for future ubuntu releases, since
upstream refuses to take it in.
+
+
+ 1.
https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/gssapi.patch
+
[ Original Description ]
The Authmethod struct now have 4 entries but the initialization of the
method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
The struct was changed in upstream commit
dbb339f015c33d63484261d140c84ad875a9e548 as
===
@@ -104,7 +104,8 @@ struct Authctxt {
struct Authmethod {
char*name;
- int (*userauth)(struct ssh *);
+ char*synonym;
+ int (*userauth)(struct ssh *, const char *);
int *enabled;
};
===
The incorrect code does
===
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ _authentication
+};
===
but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex
This is now (change from Focal) causing gssapi-keyex to be disabled.
===
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
===
apt-cache policy openssh-server
openssh-server:
Installed: 1:8.9p1-3ubuntu0.6
Candidate: 1:8.9p1-3ubuntu0.6
Version table:
*** 1:8.9p1-3ubuntu0.6 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu
jammy-updates/main amd64 Packages
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu
jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1:8.9p1-3 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main
amd64 Packages
===
** Description changed:
[ Impact ]
The gssapi-keyex authentication mechanism has been inadvertently broken
in openssh. It comes from a distro patch[1], and while the patch still
applied, it was no longer correct.
Without the fix, sshd will fail to start if gssapi-keyex is listed in
the AuthenticationMethods of the server, and if not, sshd will still
start, but gssapi-keyex will not be available.
[ Test Plan ]
- This update adds a new autopkgtest to the package, which tests both
- gssapi-with-mic ("normal" gssapi, which is not affected by this bug),
- and gssapi-keyex, which, before this update, does not work.
+ This update, besides fixing the patch, also adds a new autopkgtest to
+ the package, which tests both gssapi-with-mic ("normal" gssapi, which is
+ not affected by this bug), and gssapi-keyex, which, before this update,
+ did not work.
The test plan is to run the new ssh-gssapi autopkgtest and verify it
succeeds.
[ Where problems could occur ]
ssh is a critical piece of infrastructure, and problems with it could
have catastrophic consequences. The service itself has a test command
before it starts up to verify the syntax of the config file, but that
test is not applied on shutdown, so a restart with an invalid config
file could still leave sshd dead.
The patch adds a change to an authentication structure, but that change
is already present in the upstream code, and we are
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
openssh-server_8.9p1-3ubuntu0.7_amd64.deb does fix the gssapi-keyex problem for us on jammy Syslog output is as expected === 2024-04-08T08:09:53.608275+02:00 somehost sshd[169530]: Authorized to root, krb5 principal xxx/r...@our.do.main (krb5_kuserok) 2024-04-08T08:09:53.619114+02:00 somehost sshd[169530]: Accepted gssapi-keyex for root from 1.2.3.4 port 60232 ssh2: xxx/r...@our.do.main === -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
Hello ake, or anyone else affected, Accepted openssh into mantic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- mantic to verification-done-mantic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-mantic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: openssh (Ubuntu Mantic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-mantic ** Changed in: openssh (Ubuntu Jammy) Status: In Progress => Fix Committed ** Tags added: verification-needed-jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
This bug was fixed in the package openssh - 1:9.6p1-3ubuntu11 --- openssh (1:9.6p1-3ubuntu11) noble; urgency=medium * d/t/ssh-gssapi: make the test a bit more rebust (LP: #2058276): - deal with return codes - match a more specific success expression from the logs - add klist output in the case of failure -- Andreas Hasenack Mon, 18 Mar 2024 10:25:15 -0300 ** Changed in: openssh (Ubuntu Noble) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462552 ** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462553 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Changed in: openssh (Ubuntu Noble) Importance: Critical => High ** Changed in: openssh (Ubuntu Mantic) Importance: Undecided => High ** Changed in: openssh (Ubuntu Jammy) Importance: Undecided => High ** Changed in: openssh (Ubuntu Jammy) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: openssh (Ubuntu Mantic) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Description changed:
[ Impact ]
- * An explanation of the effects of the bug on users and
+ The gssapi-keyex authentication mechanism has been inadvertently broken
+ in openssh. It comes from a distro patch[1], and while the patch still
+ applied, it was no longer correct.
- * justification for backporting the fix to the stable release.
+ Without the fix, sshd will fail to start if gssapi-keyex is listed in
+ the AuthenticationMethods of the server, and if not, sshd will still
+ start, but gssapi-keyex will not be available.
- * In addition, it is helpful, but not required, to include an
-explanation of how the upload fixes this bug.
[ Test Plan ]
- * detailed instructions how to reproduce the bug
+ This update adds a new autopkgtest to the package, which tests both
+ gssapi-with-mic ("normal" gssapi, which is not affected by this bug),
+ and gssapi-keyex, which, before this update, does not work.
- * these should allow someone who is not familiar with the affected
-package to reproduce the bug and verify that the updated package fixes
-the problem.
+ The test plan is to run the new ssh-gssapi autopkgtest and verify it
+ succeeds.
- * if other testing is appropriate to perform before landing this update,
-this should also be described here.
[ Where problems could occur ]
- * Think about what the upload changes in the software. Imagine the change is
-wrong or breaks something else: how would this show up?
+ ssh is a critical piece of infrastructure, and problems with it could
+ have catastrophic consequences. The service itself has a test command
+ before it starts up to verify the syntax of the config file, but that
+ test is not applied on shutdown, so a restart with an invalid config
+ file could still leave sshd dead.
- * It is assumed that any SRU candidate patch is well-tested before
-upload and has a low overall risk of regression, but it's important
-to make the effort to think about what ''could'' happen in the
-event of a regression.
+ The patch adds a change to an authentication structure, but that change
+ is already present in the upstream code, and we are just updating it in
+ the new gssapi-keyex code (introduced by the distro[1] patch, already
+ present). Therefore, mistakes here should manifest themselves just in
+ the gssapi-keyex code, which wasn't working anyway. Effectively, though,
+ we are enabling a new authentication mechanism in sshd, one that was not
+ supposed to have been removed, but was broken by mistake.
- * This must '''never''' be "None" or "Low", or entirely an argument as to why
-your upload is low risk.
-
- * This both shows the SRU team that the risks have been considered,
-and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
-
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
- * and address these questions in advance
+ The fact no-one noticed this problem for more than two years could be
+ telling that there are not many users of this authentication mechanism
+ out there. The same applies to debian: it has also been broken for a
+ while there. Maybe we should drop it for future ubuntu releases, since
+ upstream refuses to take it in.
[ Original Description ]
-
- The Authmethod struct now have 4 entries but the initialization of the
method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
+ The Authmethod struct now have 4 entries but the initialization of the
+ method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
The struct was changed in upstream commit
dbb339f015c33d63484261d140c84ad875a9e548 as
===
@@ -104,7 +104,8 @@ struct Authctxt {
struct Authmethod {
char*name;
- int (*userauth)(struct ssh *);
+ char*synonym;
+ int (*userauth)(struct ssh *, const char *);
int *enabled;
};
===
The incorrect code does
===
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ _authentication
+};
===
but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex
This is now (change from Focal) causing gssapi-keyex to be disabled.
===
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
===
apt-cache policy openssh-server
openssh-server:
Installed: 1:8.9p1-3ubuntu0.6
Candidate: 1:8.9p1-3ubuntu0.6
Version table:
*** 1:8.9p1-3ubuntu0.6 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu
jammy-updates/main amd64 Packages
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu
jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1:8.9p1-3 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main
amd64 Packages
===
--
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Description changed:
- The Authmethod struct now have 4 entries but the initialization of the
- method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
+ [ Impact ]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+
+ [ Test Plan ]
+
+ * detailed instructions how to reproduce the bug
+
+ * these should allow someone who is not familiar with the affected
+package to reproduce the bug and verify that the updated package fixes
+the problem.
+
+ * if other testing is appropriate to perform before landing this update,
+this should also be described here.
+
+ [ Where problems could occur ]
+
+ * Think about what the upload changes in the software. Imagine the change is
+wrong or breaks something else: how would this show up?
+
+ * It is assumed that any SRU candidate patch is well-tested before
+upload and has a low overall risk of regression, but it's important
+to make the effort to think about what ''could'' happen in the
+event of a regression.
+
+ * This must '''never''' be "None" or "Low", or entirely an argument as to why
+your upload is low risk.
+
+ * This both shows the SRU team that the risks have been considered,
+and provides guidance to testers in regression-testing the SRU.
+
+ [ Other Info ]
+
+ * Anything else you think is useful to include
+ * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
+ * and address these questions in advance
+
+
+ [ Original Description ]
+
+
+ The Authmethod struct now have 4 entries but the initialization of the
method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
The struct was changed in upstream commit
dbb339f015c33d63484261d140c84ad875a9e548 as
===
@@ -104,7 +104,8 @@ struct Authctxt {
-
- struct Authmethod {
- char*name;
+
+ struct Authmethod {
+ char*name;
- int (*userauth)(struct ssh *);
+ char*synonym;
+ int (*userauth)(struct ssh *, const char *);
- int *enabled;
- };
+ int *enabled;
+ };
===
The incorrect code does
===
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ _authentication
+};
===
but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex
-
This is now (change from Focal) causing gssapi-keyex to be disabled.
-
===
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
===
apt-cache policy openssh-server
openssh-server:
- Installed: 1:8.9p1-3ubuntu0.6
- Candidate: 1:8.9p1-3ubuntu0.6
- Version table:
- *** 1:8.9p1-3ubuntu0.6 500
- 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu
jammy-updates/main amd64 Packages
- 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu
jammy-security/main amd64 Packages
- 100 /var/lib/dpkg/status
- 1:8.9p1-3 500
- 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main
amd64 Packages
+ Installed: 1:8.9p1-3ubuntu0.6
+ Candidate: 1:8.9p1-3ubuntu0.6
+ Version table:
+ *** 1:8.9p1-3ubuntu0.6 500
+ 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu
jammy-updates/main amd64 Packages
+ 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu
jammy-security/main amd64 Packages
+ 100 /var/lib/dpkg/status
+ 1:8.9p1-3 500
+ 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main
amd64 Packages
===
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is
slightly wrong
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462514 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
I think you missed the extra arg to userauth_gsskeyex() -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
I fixed this in Debian today in https://salsa.debian.org/ssh- team/openssh/-/commit/0947dd466d64cabfb527d8326e2507f473373a32, uploaded as part of 1:9.7p1-1. You could possibly just merge 1:9.7p1-1 into noble since it's mostly a bug-fix release, but failing that you could cherry-pick the relevant change easily enough. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
I have an autopkgtest for gssapi, adding one now for keyex. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
Quick test with https://launchpad.net/~ahasenack/+archive/ubuntu/openssh- gsskeyex-2053146/+packages on jammy (but there are builds for other releases too), seems to work: Mar 13 20:52:58 j-keyex sshd[1638]: Authorized to ubuntu, krb5 principal andreas@LOWTECH (krb5_kuserok) Mar 13 20:52:58 j-keyex sshd[1638]: Accepted gssapi-keyex for ubuntu from 10.0.102.1 port 48450 ssh2: andreas@LOWTECH -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
Prepping builds, and I also want to add an autopkgtest for this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Also affects: openssh (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: openssh (Ubuntu Noble) Importance: Critical Assignee: Andreas Hasenack (ahasenack) Status: In Progress ** Also affects: openssh (Ubuntu Mantic) Importance: Undecided Status: New ** Changed in: openssh (Ubuntu Mantic) Status: New => In Progress ** Changed in: openssh (Ubuntu Jammy) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
https://src.fedoraproject.org/rpms/openssh/c/c04e468b07b38471377fc7a648e1737021ea7148 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Changed in: openssh (Ubuntu) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Changed in: openssh (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
