This bug was fixed in the package openssh - 1:8.9p1-3ubuntu0.7
---
openssh (1:8.9p1-3ubuntu0.7) jammy; urgency=medium
* d/p/gssapi.patch: fix method_gsskeyex structure and
userauth_gsskeyex function regarding changes introduced in upstream
commit
This bug was fixed in the package openssh - 1:9.3p1-1ubuntu3.3
---
openssh (1:9.3p1-1ubuntu3.3) mantic; urgency=medium
* d/p/gssapi.patch: fix method_gsskeyex structure and
userauth_gsskeyex function regarding changes introduced in upstream
commit
It's not clear to me if a simple "ssh -Snone localhost" is covered by
the autopkgtests, so I did that manually, testing without -proposed
first, and ensuring to run "sudo systemctl restart ssh" after upgrading
to -proposed to ensure that I'm definitely hitting the daemon from
-proposed.
Success
Mantic verification
In all architectures, except i386, the new test passed.
Here is a log from the amd64 run[1]:
4333s autopkgtest [16:47:27]: test ssh-gssapi: [---
4333s ## Setting up test environment
4333s ## Creating Kerberos realm EXAMPLE.FAKE
4333s Initializing database
Jammy verification
In all architectures (except i386, which is a known failure everywhere)
the new ssh-gssapi test passed.
Here is the run on amd64[1]:
3438s autopkgtest [16:33:21]: test ssh-gssapi: [---
3438s ## Setting up test environment
3438s ## Creating Kerberos realm
** Description changed:
[ Impact ]
The gssapi-keyex authentication mechanism has been inadvertently broken
in openssh. It comes from a distro patch[1], and while the patch still
applied, it was no longer correct.
Without the fix, sshd will fail to start if gssapi-keyex is listed
openssh-server_8.9p1-3ubuntu0.7_amd64.deb does fix the gssapi-keyex
problem for us on jammy
Syslog output is as expected
===
2024-04-08T08:09:53.608275+02:00 somehost sshd[169530]: Authorized to root,
krb5 principal xxx/r...@our.do.main (krb5_kuserok)
2024-04-08T08:09:53.619114+02:00 somehost
Hello ake, or anyone else affected,
Accepted openssh into mantic-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.3 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
This bug was fixed in the package openssh - 1:9.6p1-3ubuntu11
---
openssh (1:9.6p1-3ubuntu11) noble; urgency=medium
* d/t/ssh-gssapi: make the test a bit more rebust (LP: #2058276):
- deal with return codes
- match a more specific success expression from the logs
- add
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462552
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462553
--
You received this bug notification because you are a
** Changed in: openssh (Ubuntu Noble)
Importance: Critical => High
** Changed in: openssh (Ubuntu Mantic)
Importance: Undecided => High
** Changed in: openssh (Ubuntu Jammy)
Importance: Undecided => High
** Changed in: openssh (Ubuntu Jammy)
Assignee: (unassigned) => Andreas
** Description changed:
[ Impact ]
- * An explanation of the effects of the bug on users and
+ The gssapi-keyex authentication mechanism has been inadvertently broken
+ in openssh. It comes from a distro patch[1], and while the patch still
+ applied, it was no longer correct.
- *
** Description changed:
- The Authmethod struct now have 4 entries but the initialization of the
- method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
+ [ Impact ]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462514
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for
I think you missed the extra arg to userauth_gsskeyex()
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is
slightly
I fixed this in Debian today in https://salsa.debian.org/ssh-
team/openssh/-/commit/0947dd466d64cabfb527d8326e2507f473373a32, uploaded
as part of 1:9.7p1-1. You could possibly just merge 1:9.7p1-1 into
noble since it's mostly a bug-fix release, but failing that you could
cherry-pick the relevant
I have an autopkgtest for gssapi, adding one now for keyex.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is
Quick test with
https://launchpad.net/~ahasenack/+archive/ubuntu/openssh-
gsskeyex-2053146/+packages on jammy (but there are builds for other
releases too), seems to work:
Mar 13 20:52:58 j-keyex sshd[1638]: Authorized to ubuntu, krb5 principal
andreas@LOWTECH (krb5_kuserok)
Mar 13 20:52:58
Prepping builds, and I also want to add an autopkgtest for this.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is
** Also affects: openssh (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: openssh (Ubuntu Noble)
Importance: Critical
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Also affects: openssh (Ubuntu Mantic)
Importance: Undecided
https://src.fedoraproject.org/rpms/openssh/c/c04e468b07b38471377fc7a648e1737021ea7148
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss patch for
** Changed in: openssh (Ubuntu)
Status: Incomplete => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method
** Changed in: openssh (Ubuntu)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss patch for
23 matches
Mail list logo