Verification for Focal:
First, verifying that the bug manifests with the current package:
# apt policy openssh-client
openssh-client:
Installed: 1:8.2p1-4ubuntu0.4
Candidate: 1:8.2p1-4ubuntu0.4
Version table:
*** 1:8.2p1-4ubuntu0.4 500
500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
100 /var/lib/dpkg/status
1:8.2p1-4ubuntu0.2 500
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
1:8.2p1-4 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
# ssh-keygen -R github.com -f test_known_hosts
# Host github.com found: line 1
# Host github.com found: line 2
# Host github.com found: line 3
test_known_hosts updated.
Original contents retained as test_known_hosts.old
# stat test_known_hosts | grep ^Access
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2022-04-13 21:54:40.698183232 +0000
Now, enabling -proposed and verifying that the new package fixes the
bug:
# apt policy openssh-client
openssh-client:
Installed: 1:8.2p1-4ubuntu0.5
Candidate: 1:8.2p1-4ubuntu0.5
Version table:
*** 1:8.2p1-4ubuntu0.5 500
500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
100 /var/lib/dpkg/status
1:8.2p1-4ubuntu0.4 500
500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
1:8.2p1-4ubuntu0.2 500
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
1:8.2p1-4 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
# ssh-keygen -R github.com -f test_known_hosts
# Host github.com found: line 1
# Host github.com found: line 2
# Host github.com found: line 3
test_known_hosts updated.
Original contents retained as test_known_hosts.old
# stat test_known_hosts | grep ^Access
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2022-04-13 21:57:25.676987718 +0000
The bug has been fixed.
** Tags removed: server-todo verification-needed verification-needed-focal
** Tags added: verification-done-focal
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1966591
Title:
ssh-keygen -R changes known_hosts file permissions (mode)
Status in portable OpenSSH:
Unknown
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Bionic:
Fix Committed
Status in openssh source package in Focal:
Fix Committed
Status in openssh source package in Impish:
Fix Released
Status in openssh source package in Jammy:
Fix Released
Bug description:
[Impact]
When using "ssh-keygen -R" to remove a host from "known_hosts" the
command changes permissions on the file. This can cause problems
particularly when used on the global "known_hosts" file
(/etc/ssh/ssh_known_hosts), because then only root can read it.
Programs running non-interactively as non-root users suddenly fail to
SSH and it's not immediately obvious why.
[Test Plan]
The problem happens on Bionic and Focal.
$ lxc launch ubuntu-daily:focal openssh-bug1966591
$ lxc shell openssh-bug1966591
# ssh-keyscan github.com > test_known_hosts
# chmod 644 test_known_hosts
# ssh-keygen -R github.com -f test_known_hosts
# stat test_known_hosts
...
Access: (0600/-rw-------) ...
...
[Where problems could occur]
The upstream patch is very simple and it is unlikely that it will
cause any regressions. An indirect problem that could occur is that
users might expect to see a more strict set of permissions on a
"known_hosts" file after using "ssh-keygen -R", but arguably this is
not defined behaviour and should not be relied upon. Of course, there
is always a (very) small risk of introducing problems when rebuilding
packages using newer versions of its dependencies (especially on
Bionic, because it's older).
[Original Description]
When I use ssh-keygen -R to remove a host from known_hosts it changes
permissions on the file. This causes problems particularly when used
on the global known hosts file (/etc/ssh/ssh_known_hosts), because
then only root can read it. Programs running non-interactively as non-
root users suddenly fail to SSH and it's not immediately obvious why.
To reproduce:
$ ssh-keyscan github.com >test_known_hosts
$ chmod 741 test_known_hosts
$ ssh-keygen -R github.com -f test_known_hosts
$ stat test_known_hosts
...
Access: (0600/-rw-------) ...
Expected behavior: file permissions remain unchanged (mode 0741 in
this example).
$ lsb_release -rd
Description: Ubuntu 18.04.6 LTS
Release: 18.04
$ apt-cache policy openssh-client
openssh-client:
Installed: 1:7.6p1-4ubuntu0.6
To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1966591/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
