[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
This bug was fixed in the package openssh - 1:8.9p1-3ubuntu0.7 --- openssh (1:8.9p1-3ubuntu0.7) jammy; urgency=medium * d/p/gssapi.patch: fix method_gsskeyex structure and userauth_gsskeyex function regarding changes introduced in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 ("prepare for multiple names for authmethods") (LP: #2053146) * d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic and gssapi-keyex authentication methods -- Andreas Hasenack Fri, 15 Mar 2024 17:28:22 -0300 ** Changed in: openssh (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
This bug was fixed in the package openssh - 1:9.3p1-1ubuntu3.3 --- openssh (1:9.3p1-1ubuntu3.3) mantic; urgency=medium * d/p/gssapi.patch: fix method_gsskeyex structure and userauth_gsskeyex function regarding changes introduced in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 ("prepare for multiple names for authmethods") (LP: #2053146) * d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic and gssapi-keyex authentication methods -- Andreas Hasenack Fri, 15 Mar 2024 17:25:30 -0300 ** Changed in: openssh (Ubuntu Mantic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
It's not clear to me if a simple "ssh -Snone localhost" is covered by the autopkgtests, so I did that manually, testing without -proposed first, and ensuring to run "sudo systemctl restart ssh" after upgrading to -proposed to ensure that I'm definitely hitting the daemon from -proposed. Success on: 1:8.9p1-3ubuntu0.7 on Jammy and 1:9.3p1-1ubuntu3.3 on Mantic. My commands were: lxc launch ubuntu:jammy foo lxc exec foo bash login -f ubuntu ssh-keygen # and set no passphrase cd .ssh cat id_rsa.pub >> authorized_keys ssh -Snone localhost exit sudo add-apt-repository -p proposed apt install -t jammy-proposed openssh-server sudo systemctl restart ssh ssh -Snone localhost exit apt policy openssh-server (and the equivalent for Mantic) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
Mantic verification In all architectures, except i386, the new test passed. Here is a log from the amd64 run[1]: 4333s autopkgtest [16:47:27]: test ssh-gssapi: [--- 4333s ## Setting up test environment 4333s ## Creating Kerberos realm EXAMPLE.FAKE 4333s Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.FAKE', 4333s master key name 'K/m...@example.fake' 4333s ## Creating principals 4333s Authenticating as principal root/ad...@example.fake with password. 4333s Principal "testuser1...@example.fake" created. 4333s Authenticating as principal root/ad...@example.fake with password. 4333s Principal "host/sshd-gssapi.example.f...@example.fake" created. 4333s ## Extracting service principal host/sshd-gssapi.example.fake 4333s Authenticating as principal root/ad...@example.fake with password. 4333s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. 4333s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. 4333s ## Adjusting /etc/krb5.conf 4333s ## TESTS 4333s 4333s ## TEST test_gssapi_login 4333s ## Configuring sshd for gssapi-with-mic authentication 4333s ## Restarting ssh 4333s ## Obtaining TGT 4333s Password for testuser1...@example.fake: 4333s Ticket cache: FILE:/tmp/krb5cc_0 4333s Default principal: testuser1...@example.fake 4333s 4333s Valid starting ExpiresService principal 4333s 04/05/24 16:47:27 04/06/24 02:47:27 krbtgt/example.f...@example.fake 4333s renew until 04/06/24 16:47:27 4333s 4333s ## ssh'ing into localhost using gssapi-with-mic auth 4333s Warning: Permanently added 'sshd-gssapi.example.fake' (ED25519) to the list of known hosts. 4334s Fri Apr 5 16:47:27 UTC 2024 4334s 4334s ## checking that we got a service ticket for ssh (host/) 4334s 04/05/24 16:47:27 04/06/24 02:47:27 host/sshd-gssapi.example.fake@ 4334s Ticket server: host/sshd-gssapi.example.f...@example.fake 4334s 4334s ## Checking ssh logs to confirm gssapi-with-mic auth was used 4334s Apr 05 16:47:27 sshd-gssapi.example.fake sshd[1688]: Accepted gssapi-with-mic for testuser1620 from 127.0.0.1 port 44922 ssh2: testuser1...@example.fake 4334s ## PASS test_gssapi_login 4334s 4334s ## TEST test_gssapi_keyex_login 4334s ## Configuring sshd for gssapi-keyex authentication 4334s ## Restarting ssh 4334s ## Obtaining TGT 4334s Password for testuser1...@example.fake: 4334s Ticket cache: FILE:/tmp/krb5cc_0 4334s Default principal: testuser1...@example.fake 4334s 4334s Valid starting ExpiresService principal 4334s 04/05/24 16:47:28 04/06/24 02:47:28 krbtgt/example.f...@example.fake 4334s renew until 04/06/24 16:47:28 4334s 4334s ## ssh'ing into localhost using gssapi-keyex auth 4334s Fri Apr 5 16:47:28 UTC 2024 4334s 4334s ## checking that we got a service ticket for ssh (host/) 4334s 04/05/24 16:47:28 04/06/24 02:47:28 host/sshd-gssapi.example.fake@ 4334s Ticket server: host/sshd-gssapi.example.f...@example.fake 4334s 4334s ## Checking ssh logs to confirm gssapi-keyex auth was used 4334s Apr 05 16:47:28 sshd-gssapi.example.fake sshd[1758]: Accepted gssapi-keyex for testuser1620 from 127.0.0.1 port 44930 ssh2: testuser1...@example.fake 4334s ## PASS test_gssapi_keyex_login 4334s 4334s ## ALL TESTS PASSED 4334s ## Cleaning up 4334s autopkgtest [16:47:28]: test ssh-gssapi: ---] 4335s ssh-gssapi PASS 4335s autopkgtest [16:47:29]: test ssh-gssapi: - - - - - - - - - - results - - - - - - - - - - 4335s autopkgtest [16:47:29]: summary 4335s regress PASS 4335s systemd-socket-activation PASS 4335s ssh-gssapi PASS Mantic verification succeeded. 1. https://autopkgtest.ubuntu.com/results/autopkgtest- mantic/mantic/amd64/o/openssh/20240405_164750_3a52b@/log.gz ** Tags removed: verification-needed-mantic ** Tags added: verification-done-mantic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
Jammy verification In all architectures (except i386, which is a known failure everywhere) the new ssh-gssapi test passed. Here is the run on amd64[1]: 3438s autopkgtest [16:33:21]: test ssh-gssapi: [--- 3438s ## Setting up test environment 3438s ## Creating Kerberos realm EXAMPLE.FAKE 3438s Loading random data 3438s Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.FAKE', 3438s master key name 'K/m...@example.fake' 3438s ## Creating principals 3438s Authenticating as principal root/ad...@example.fake with password. 3438s Principal "testuser1...@example.fake" created. 3438s Authenticating as principal root/ad...@example.fake with password. 3438s Principal "host/sshd-gssapi.example.f...@example.fake" created. 3438s ## Extracting service principal host/sshd-gssapi.example.fake 3438s Authenticating as principal root/ad...@example.fake with password. 3438s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. 3438s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. 3438s ## Adjusting /etc/krb5.conf 3438s ## TESTS 3438s 3438s ## TEST test_gssapi_login 3438s ## Configuring sshd for gssapi-with-mic authentication 3438s ## Restarting ssh 3438s ## Obtaining TGT 3438s Password for testuser1...@example.fake: 3438s Ticket cache: FILE:/tmp/krb5cc_0 3438s Default principal: testuser1...@example.fake 3438s 3438s Valid starting ExpiresService principal 3438s 04/05/24 16:33:20 04/06/24 02:33:20 krbtgt/example.f...@example.fake 3438s renew until 04/06/24 16:33:20 3438s 3438s ## ssh'ing into localhost using gssapi-with-mic auth 3438s Warning: Permanently added 'sshd-gssapi.example.fake' (ED25519) to the list of known hosts. 3439s Fri Apr 5 16:33:21 UTC 2024 3439s 3439s ## checking that we got a service ticket for ssh (host/) 3439s 04/05/24 16:33:21 04/06/24 02:33:20 host/sshd-gssapi.example.fake@ 3439s Ticket server: host/sshd-gssapi.example.f...@example.fake 3439s 3439s ## Checking ssh logs to confirm gssapi-with-mic auth was used 3439s Apr 05 16:33:21 sshd-gssapi.example.fake sshd[1518]: Accepted gssapi-with-mic for testuser1457 from 127.0.0.1 port 50668 ssh2: testuser1...@example.fake 3439s ## PASS test_gssapi_login 3439s 3439s ## TEST test_gssapi_keyex_login 3439s ## Configuring sshd for gssapi-keyex authentication 3439s ## Restarting ssh 3439s ## Obtaining TGT 3439s Password for testuser1...@example.fake: 3439s Ticket cache: FILE:/tmp/krb5cc_0 3439s Default principal: testuser1...@example.fake 3439s 3439s Valid starting ExpiresService principal 3439s 04/05/24 16:33:21 04/06/24 02:33:21 krbtgt/example.f...@example.fake 3439s renew until 04/06/24 16:33:21 3439s 3439s ## ssh'ing into localhost using gssapi-keyex auth 3439s Fri Apr 5 16:33:21 UTC 2024 3439s 3439s ## checking that we got a service ticket for ssh (host/) 3439s 04/05/24 16:33:21 04/06/24 02:33:21 host/sshd-gssapi.example.fake@ 3439s Ticket server: host/sshd-gssapi.example.f...@example.fake 3439s 3439s ## Checking ssh logs to confirm gssapi-keyex auth was used 3439s Apr 05 16:33:21 sshd-gssapi.example.fake sshd[1558]: Accepted gssapi-keyex for testuser1457 from 127.0.0.1 port 50670 ssh2: testuser1...@example.fake 3439s ## PASS test_gssapi_keyex_login 3439s 3439s ## ALL TESTS PASSED 3439s ## Cleaning up 3439s autopkgtest [16:33:22]: test ssh-gssapi: ---] 3439s autopkgtest [16:33:22]: test ssh-gssapi: - - - - - - - - - - results - - - - - - - - - - 3439s ssh-gssapi PASS 3440s autopkgtest [16:33:23]: summary 3440s regress PASS 3440s ssh-gssapi PASS Jammy verification succeeded. 1. https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/o/openssh/20240405_163345_c46fa@/log.gz ** Tags removed: verification-needed-jammy ** Tags added: verification-done-jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Description changed: [ Impact ] The gssapi-keyex authentication mechanism has been inadvertently broken in openssh. It comes from a distro patch[1], and while the patch still applied, it was no longer correct. Without the fix, sshd will fail to start if gssapi-keyex is listed in the AuthenticationMethods of the server, and if not, sshd will still start, but gssapi-keyex will not be available. - [ Test Plan ] This update adds a new autopkgtest to the package, which tests both gssapi-with-mic ("normal" gssapi, which is not affected by this bug), and gssapi-keyex, which, before this update, does not work. The test plan is to run the new ssh-gssapi autopkgtest and verify it succeeds. - [ Where problems could occur ] ssh is a critical piece of infrastructure, and problems with it could have catastrophic consequences. The service itself has a test command before it starts up to verify the syntax of the config file, but that test is not applied on shutdown, so a restart with an invalid config file could still leave sshd dead. The patch adds a change to an authentication structure, but that change is already present in the upstream code, and we are just updating it in the new gssapi-keyex code (introduced by the distro[1] patch, already present). Therefore, mistakes here should manifest themselves just in the gssapi-keyex code, which wasn't working anyway. Effectively, though, we are enabling a new authentication mechanism in sshd, one that was not supposed to have been removed, but was broken by mistake. - [ Other Info ] The fact no-one noticed this problem for more than two years could be telling that there are not many users of this authentication mechanism out there. The same applies to debian: it has also been broken for a while there. Maybe we should drop it for future ubuntu releases, since upstream refuses to take it in. + + + 1. https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/gssapi.patch + [ Original Description ] The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries. The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as === @@ -104,7 +104,8 @@ struct Authctxt { struct Authmethod { char*name; - int (*userauth)(struct ssh *); + char*synonym; + int (*userauth)(struct ssh *, const char *); int *enabled; }; === The incorrect code does === +Authmethod method_gsskeyex = { + "gssapi-keyex", + userauth_gsskeyex, + _authentication +}; === but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex This is now (change from Focal) causing gssapi-keyex to be disabled. === lsb_release -rd Description: Ubuntu 22.04.3 LTS Release: 22.04 === apt-cache policy openssh-server openssh-server: Installed: 1:8.9p1-3ubuntu0.6 Candidate: 1:8.9p1-3ubuntu0.6 Version table: *** 1:8.9p1-3ubuntu0.6 500 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 1:8.9p1-3 500 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages === ** Description changed: [ Impact ] The gssapi-keyex authentication mechanism has been inadvertently broken in openssh. It comes from a distro patch[1], and while the patch still applied, it was no longer correct. Without the fix, sshd will fail to start if gssapi-keyex is listed in the AuthenticationMethods of the server, and if not, sshd will still start, but gssapi-keyex will not be available. [ Test Plan ] - This update adds a new autopkgtest to the package, which tests both - gssapi-with-mic ("normal" gssapi, which is not affected by this bug), - and gssapi-keyex, which, before this update, does not work. + This update, besides fixing the patch, also adds a new autopkgtest to + the package, which tests both gssapi-with-mic ("normal" gssapi, which is + not affected by this bug), and gssapi-keyex, which, before this update, + did not work. The test plan is to run the new ssh-gssapi autopkgtest and verify it succeeds. [ Where problems could occur ] ssh is a critical piece of infrastructure, and problems with it could have catastrophic consequences. The service itself has a test command before it starts up to verify the syntax of the config file, but that test is not applied on shutdown, so a restart with an invalid config file could still leave sshd dead. The patch adds a change to an authentication structure, but that change is already present in the upstream code, and we are
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
openssh-server_8.9p1-3ubuntu0.7_amd64.deb does fix the gssapi-keyex problem for us on jammy Syslog output is as expected === 2024-04-08T08:09:53.608275+02:00 somehost sshd[169530]: Authorized to root, krb5 principal xxx/r...@our.do.main (krb5_kuserok) 2024-04-08T08:09:53.619114+02:00 somehost sshd[169530]: Accepted gssapi-keyex for root from 1.2.3.4 port 60232 ssh2: xxx/r...@our.do.main === -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
Hello ake, or anyone else affected, Accepted openssh into mantic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- mantic to verification-done-mantic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-mantic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: openssh (Ubuntu Mantic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-mantic ** Changed in: openssh (Ubuntu Jammy) Status: In Progress => Fix Committed ** Tags added: verification-needed-jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
This bug was fixed in the package openssh - 1:9.6p1-3ubuntu11 --- openssh (1:9.6p1-3ubuntu11) noble; urgency=medium * d/t/ssh-gssapi: make the test a bit more rebust (LP: #2058276): - deal with return codes - match a more specific success expression from the logs - add klist output in the case of failure -- Andreas Hasenack Mon, 18 Mar 2024 10:25:15 -0300 ** Changed in: openssh (Ubuntu Noble) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462552 ** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462553 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Changed in: openssh (Ubuntu Noble) Importance: Critical => High ** Changed in: openssh (Ubuntu Mantic) Importance: Undecided => High ** Changed in: openssh (Ubuntu Jammy) Importance: Undecided => High ** Changed in: openssh (Ubuntu Jammy) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: openssh (Ubuntu Mantic) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Description changed: [ Impact ] - * An explanation of the effects of the bug on users and + The gssapi-keyex authentication mechanism has been inadvertently broken + in openssh. It comes from a distro patch[1], and while the patch still + applied, it was no longer correct. - * justification for backporting the fix to the stable release. + Without the fix, sshd will fail to start if gssapi-keyex is listed in + the AuthenticationMethods of the server, and if not, sshd will still + start, but gssapi-keyex will not be available. - * In addition, it is helpful, but not required, to include an -explanation of how the upload fixes this bug. [ Test Plan ] - * detailed instructions how to reproduce the bug + This update adds a new autopkgtest to the package, which tests both + gssapi-with-mic ("normal" gssapi, which is not affected by this bug), + and gssapi-keyex, which, before this update, does not work. - * these should allow someone who is not familiar with the affected -package to reproduce the bug and verify that the updated package fixes -the problem. + The test plan is to run the new ssh-gssapi autopkgtest and verify it + succeeds. - * if other testing is appropriate to perform before landing this update, -this should also be described here. [ Where problems could occur ] - * Think about what the upload changes in the software. Imagine the change is -wrong or breaks something else: how would this show up? + ssh is a critical piece of infrastructure, and problems with it could + have catastrophic consequences. The service itself has a test command + before it starts up to verify the syntax of the config file, but that + test is not applied on shutdown, so a restart with an invalid config + file could still leave sshd dead. - * It is assumed that any SRU candidate patch is well-tested before -upload and has a low overall risk of regression, but it's important -to make the effort to think about what ''could'' happen in the -event of a regression. + The patch adds a change to an authentication structure, but that change + is already present in the upstream code, and we are just updating it in + the new gssapi-keyex code (introduced by the distro[1] patch, already + present). Therefore, mistakes here should manifest themselves just in + the gssapi-keyex code, which wasn't working anyway. Effectively, though, + we are enabling a new authentication mechanism in sshd, one that was not + supposed to have been removed, but was broken by mistake. - * This must '''never''' be "None" or "Low", or entirely an argument as to why -your upload is low risk. - - * This both shows the SRU team that the risks have been considered, -and provides guidance to testers in regression-testing the SRU. [ Other Info ] - - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance + The fact no-one noticed this problem for more than two years could be + telling that there are not many users of this authentication mechanism + out there. The same applies to debian: it has also been broken for a + while there. Maybe we should drop it for future ubuntu releases, since + upstream refuses to take it in. [ Original Description ] - - The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries. + The Authmethod struct now have 4 entries but the initialization of the + method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries. The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as === @@ -104,7 +104,8 @@ struct Authctxt { struct Authmethod { char*name; - int (*userauth)(struct ssh *); + char*synonym; + int (*userauth)(struct ssh *, const char *); int *enabled; }; === The incorrect code does === +Authmethod method_gsskeyex = { + "gssapi-keyex", + userauth_gsskeyex, + _authentication +}; === but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex This is now (change from Focal) causing gssapi-keyex to be disabled. === lsb_release -rd Description: Ubuntu 22.04.3 LTS Release: 22.04 === apt-cache policy openssh-server openssh-server: Installed: 1:8.9p1-3ubuntu0.6 Candidate: 1:8.9p1-3ubuntu0.6 Version table: *** 1:8.9p1-3ubuntu0.6 500 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 1:8.9p1-3 500 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages === --
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Description changed: - The Authmethod struct now have 4 entries but the initialization of the - method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries. + [ Impact ] + + * An explanation of the effects of the bug on users and + + * justification for backporting the fix to the stable release. + + * In addition, it is helpful, but not required, to include an +explanation of how the upload fixes this bug. + + [ Test Plan ] + + * detailed instructions how to reproduce the bug + + * these should allow someone who is not familiar with the affected +package to reproduce the bug and verify that the updated package fixes +the problem. + + * if other testing is appropriate to perform before landing this update, +this should also be described here. + + [ Where problems could occur ] + + * Think about what the upload changes in the software. Imagine the change is +wrong or breaks something else: how would this show up? + + * It is assumed that any SRU candidate patch is well-tested before +upload and has a low overall risk of regression, but it's important +to make the effort to think about what ''could'' happen in the +event of a regression. + + * This must '''never''' be "None" or "Low", or entirely an argument as to why +your upload is low risk. + + * This both shows the SRU team that the risks have been considered, +and provides guidance to testers in regression-testing the SRU. + + [ Other Info ] + + * Anything else you think is useful to include + * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board + * and address these questions in advance + + + [ Original Description ] + + + The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries. The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as === @@ -104,7 +104,8 @@ struct Authctxt { - - struct Authmethod { - char*name; + + struct Authmethod { + char*name; - int (*userauth)(struct ssh *); + char*synonym; + int (*userauth)(struct ssh *, const char *); - int *enabled; - }; + int *enabled; + }; === The incorrect code does === +Authmethod method_gsskeyex = { + "gssapi-keyex", + userauth_gsskeyex, + _authentication +}; === but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex - This is now (change from Focal) causing gssapi-keyex to be disabled. - === lsb_release -rd Description: Ubuntu 22.04.3 LTS Release: 22.04 === apt-cache policy openssh-server openssh-server: - Installed: 1:8.9p1-3ubuntu0.6 - Candidate: 1:8.9p1-3ubuntu0.6 - Version table: - *** 1:8.9p1-3ubuntu0.6 500 - 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages - 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages - 100 /var/lib/dpkg/status - 1:8.9p1-3 500 - 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages + Installed: 1:8.9p1-3ubuntu0.6 + Candidate: 1:8.9p1-3ubuntu0.6 + Version table: + *** 1:8.9p1-3ubuntu0.6 500 + 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages + 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages + 100 /var/lib/dpkg/status + 1:8.9p1-3 500 + 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages === -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462514 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
I think you missed the extra arg to userauth_gsskeyex() -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
I fixed this in Debian today in https://salsa.debian.org/ssh- team/openssh/-/commit/0947dd466d64cabfb527d8326e2507f473373a32, uploaded as part of 1:9.7p1-1. You could possibly just merge 1:9.7p1-1 into noble since it's mostly a bug-fix release, but failing that you could cherry-pick the relevant change easily enough. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
I have an autopkgtest for gssapi, adding one now for keyex. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
Quick test with https://launchpad.net/~ahasenack/+archive/ubuntu/openssh- gsskeyex-2053146/+packages on jammy (but there are builds for other releases too), seems to work: Mar 13 20:52:58 j-keyex sshd[1638]: Authorized to ubuntu, krb5 principal andreas@LOWTECH (krb5_kuserok) Mar 13 20:52:58 j-keyex sshd[1638]: Accepted gssapi-keyex for ubuntu from 10.0.102.1 port 48450 ssh2: andreas@LOWTECH -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
Prepping builds, and I also want to add an autopkgtest for this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Also affects: openssh (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: openssh (Ubuntu Noble) Importance: Critical Assignee: Andreas Hasenack (ahasenack) Status: In Progress ** Also affects: openssh (Ubuntu Mantic) Importance: Undecided Status: New ** Changed in: openssh (Ubuntu Mantic) Status: New => In Progress ** Changed in: openssh (Ubuntu Jammy) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
https://src.fedoraproject.org/rpms/openssh/c/c04e468b07b38471377fc7a648e1737021ea7148 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Changed in: openssh (Ubuntu) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
** Changed in: openssh (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs