Jammy verification In all architectures (except i386, which is a known failure everywhere) the new ssh-gssapi test passed.
Here is the run on amd64[1]: 3438s autopkgtest [16:33:21]: test ssh-gssapi: [----------------------- 3438s ## Setting up test environment 3438s ## Creating Kerberos realm EXAMPLE.FAKE 3438s Loading random data 3438s Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.FAKE', 3438s master key name 'K/m...@example.fake' 3438s ## Creating principals 3438s Authenticating as principal root/ad...@example.fake with password. 3438s Principal "testuser1...@example.fake" created. 3438s Authenticating as principal root/ad...@example.fake with password. 3438s Principal "host/sshd-gssapi.example.f...@example.fake" created. 3438s ## Extracting service principal host/sshd-gssapi.example.fake 3438s Authenticating as principal root/ad...@example.fake with password. 3438s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. 3438s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. 3438s ## Adjusting /etc/krb5.conf 3438s ## TESTS 3438s 3438s ## TEST test_gssapi_login 3438s ## Configuring sshd for gssapi-with-mic authentication 3438s ## Restarting ssh 3438s ## Obtaining TGT 3438s Password for testuser1...@example.fake: 3438s Ticket cache: FILE:/tmp/krb5cc_0 3438s Default principal: testuser1...@example.fake 3438s 3438s Valid starting Expires Service principal 3438s 04/05/24 16:33:20 04/06/24 02:33:20 krbtgt/example.f...@example.fake 3438s renew until 04/06/24 16:33:20 3438s 3438s ## ssh'ing into localhost using gssapi-with-mic auth 3438s Warning: Permanently added 'sshd-gssapi.example.fake' (ED25519) to the list of known hosts. 3439s Fri Apr 5 16:33:21 UTC 2024 3439s 3439s ## checking that we got a service ticket for ssh (host/) 3439s 04/05/24 16:33:21 04/06/24 02:33:20 host/sshd-gssapi.example.fake@ 3439s Ticket server: host/sshd-gssapi.example.f...@example.fake 3439s 3439s ## Checking ssh logs to confirm gssapi-with-mic auth was used 3439s Apr 05 16:33:21 sshd-gssapi.example.fake sshd[1518]: Accepted gssapi-with-mic for testuser1457 from 127.0.0.1 port 50668 ssh2: testuser1...@example.fake 3439s ## PASS test_gssapi_login 3439s 3439s ## TEST test_gssapi_keyex_login 3439s ## Configuring sshd for gssapi-keyex authentication 3439s ## Restarting ssh 3439s ## Obtaining TGT 3439s Password for testuser1...@example.fake: 3439s Ticket cache: FILE:/tmp/krb5cc_0 3439s Default principal: testuser1...@example.fake 3439s 3439s Valid starting Expires Service principal 3439s 04/05/24 16:33:21 04/06/24 02:33:21 krbtgt/example.f...@example.fake 3439s renew until 04/06/24 16:33:21 3439s 3439s ## ssh'ing into localhost using gssapi-keyex auth 3439s Fri Apr 5 16:33:21 UTC 2024 3439s 3439s ## checking that we got a service ticket for ssh (host/) 3439s 04/05/24 16:33:21 04/06/24 02:33:21 host/sshd-gssapi.example.fake@ 3439s Ticket server: host/sshd-gssapi.example.f...@example.fake 3439s 3439s ## Checking ssh logs to confirm gssapi-keyex auth was used 3439s Apr 05 16:33:21 sshd-gssapi.example.fake sshd[1558]: Accepted gssapi-keyex for testuser1457 from 127.0.0.1 port 50670 ssh2: testuser1...@example.fake 3439s ## PASS test_gssapi_keyex_login 3439s 3439s ## ALL TESTS PASSED 3439s ## Cleaning up 3439s autopkgtest [16:33:22]: test ssh-gssapi: -----------------------] 3439s autopkgtest [16:33:22]: test ssh-gssapi: - - - - - - - - - - results - - - - - - - - - - 3439s ssh-gssapi PASS 3440s autopkgtest [16:33:23]: @@@@@@@@@@@@@@@@@@@@ summary 3440s regress PASS 3440s ssh-gssapi PASS Jammy verification succeeded. 1. https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/o/openssh/20240405_163345_c46fa@/log.gz ** Tags removed: verification-needed-jammy ** Tags added: verification-done-jammy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Jammy: Fix Committed Status in openssh source package in Mantic: Fix Committed Status in openssh source package in Noble: Fix Released Bug description: [ Impact ] The gssapi-keyex authentication mechanism has been inadvertently broken in openssh. It comes from a distro patch[1], and while the patch still applied, it was no longer correct. Without the fix, sshd will fail to start if gssapi-keyex is listed in the AuthenticationMethods of the server, and if not, sshd will still start, but gssapi-keyex will not be available. [ Test Plan ] This update, besides fixing the patch, also adds a new autopkgtest to the package, which tests both gssapi-with-mic ("normal" gssapi, which is not affected by this bug), and gssapi-keyex, which, before this update, did not work. The test plan is to run the new ssh-gssapi autopkgtest and verify it succeeds. [ Where problems could occur ] ssh is a critical piece of infrastructure, and problems with it could have catastrophic consequences. The service itself has a test command before it starts up to verify the syntax of the config file, but that test is not applied on shutdown, so a restart with an invalid config file could still leave sshd dead. The patch adds a change to an authentication structure, but that change is already present in the upstream code, and we are just updating it in the new gssapi-keyex code (introduced by the distro[1] patch, already present). Therefore, mistakes here should manifest themselves just in the gssapi-keyex code, which wasn't working anyway. Effectively, though, we are enabling a new authentication mechanism in sshd, one that was not supposed to have been removed, but was broken by mistake. [ Other Info ] The fact no-one noticed this problem for more than two years could be telling that there are not many users of this authentication mechanism out there. The same applies to debian: it has also been broken for a while there. Maybe we should drop it for future ubuntu releases, since upstream refuses to take it in. 1. https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/gssapi.patch [ Original Description ] The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries. The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as === @@ -104,7 +104,8 @@ struct Authctxt { struct Authmethod { char *name; - int (*userauth)(struct ssh *); + char *synonym; + int (*userauth)(struct ssh *, const char *); int *enabled; }; === The incorrect code does === +Authmethod method_gsskeyex = { + "gssapi-keyex", + userauth_gsskeyex, + &options.gss_authentication +}; === but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex This is now (change from Focal) causing gssapi-keyex to be disabled. === lsb_release -rd Description: Ubuntu 22.04.3 LTS Release: 22.04 === apt-cache policy openssh-server openssh-server: Installed: 1:8.9p1-3ubuntu0.6 Candidate: 1:8.9p1-3ubuntu0.6 Version table: *** 1:8.9p1-3ubuntu0.6 500 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 1:8.9p1-3 500 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages === To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
