Ubuntu
pam-ssh-agent-auth package

crash when in FIPS mode

Bug #1964486 reported by Dan Streetman
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
pam-ssh-agent-auth (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Impish
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

[impact]

when in FIPS mode, MD5 is not allowed; however in pamsshagentauth_check_authkeys_file(), if a key match is found for a key is found, its MD5 fingerprint is generated in order to log the fingerprint. Unfortunately that calls into pamsshagentauth_key_fingerprint_raw() which uses openssl EVP_* functions for the fingerprint creation, but without any kind of error checking. The call to EVP_DigestInit() fails because openssl is in FIPS mode and disallows MD5, but the result isn't checked, and the following call to EVP_DigestUpdate() results in openssl attempting to call ctx->update(), although ctx->update is null.

In addition, OpenSSH has defaulted to SHA256 fingerprints by default since 6.8, which is before xenial came out. This makes it more difficult to compare fingerprints listed as MD5 in log files with fingerprints printed as SHA256 by OpenSSH. The upstream pam-ssh-auth-agent codebase is poorly maintained and has not kept up with OpenSSH changes.

[test case]

set up a system in FIPS mode with FIPS openssl, install pam-ssh-agent-auth and configure per:
https://blog.heinzl.dev/use-public-key-to-prevent-sudo-passwor

Then ssh to the system, making sure to use -A to pass the local ssh-agent along, and also ssh to an account that does not have NOPASSWD sudo enabled. Then run 'sudo -i', which will segfault.

In the log file, an MD5 fingerprint that would show up like so:

pam_ssh_agent_auth: Found matching RSA key: c9:20:ff:09:15:7b:a2:e6:59:e3:a7:4a:60:0c:4f:61:1a:60:07:c9:d2:98:76:7f:71:4f:2f:d2:fc:00:c1:7d

would now show up like so after the update:

pam_ssh_agent_auth: Found matching RSA key: SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0

and would match the output of ssh-keygen -lf ~/.ssh/id_rsa.pub

[regression potential]

The fingerprint is only used when logging, so there is no impact on functionality. If the patch is broken, pam authentication would fail, or the message logged would be incorrect.

[scope]

the use of MD5 fingerprint is still in upstream code, so this may need to be fixed there and in all releases. alternately, a FIPS-compliant package could be created.

[other info]

the openssl FIPS addition that causes this is:

#ifdef OPENSSL_FIPS
        if (FIPS_mode()) {
            if (!(type->flags & EVP_MD_FLAG_FIPS)
                && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
                EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
                return 0;
            }
        }
#endif

so pam-ssh-agent-auth could set either flag to force openssl to allow this use of MD5; however the pam-ssh-agent-auth code that calls into openssl doesn't know what the md5 is going to be used for, so it may be more complex, and probably is much simpler just to stop using MD5 for the logged fingerprint.

See original description
Revision history for this message
Dan Streetman (ddstreet) wrote :

@ubuntu-security team, as this only affects FIPS, could you take a look at this and determine if you should create a FIPS-specific version of this package?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pam-ssh-agent-auth (Ubuntu Bionic):
status: New → Confirmed
Changed in pam-ssh-agent-auth (Ubuntu Focal):
status: New → Confirmed
Changed in pam-ssh-agent-auth (Ubuntu Impish):
status: New → Confirmed
Changed in pam-ssh-agent-auth (Ubuntu):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam-ssh-agent-auth - 0.10.3-3.1ubuntu1

---------------
pam-ssh-agent-auth (0.10.3-3.1ubuntu1) jammy; urgency=medium

  * debian/patches/fingerprint_sha256.patch: Default to SHA256 for key
    fingerprints. MD5 is long deprecated, OpenSSH has switched to SHA256.
    This will also allow the package to work in FIPS mode: (LP: #1964486)

 -- Tobias Heider <email address hidden> Tue, 15 Mar 2022 15:23:23 +0100

Changed in pam-ssh-agent-auth (Ubuntu Jammy):
status: Confirmed → Fix Released
Revision history for this message
Dan Streetman (ddstreet) wrote :

> Default to SHA256 for key fingerprints.

Typically changes should go upstream first, and it doesn't seem this was patched upstream yet or even an issue opened? And not patched in Debian yet either?

> MD5 is long deprecated, OpenSSH has switched to SHA256.

is this accurate even for key fingerprints used only in log messages? i didn't think that the hash function really mattered from a security perspective if used only for key fingerprints (this is a hash of the *public* key, right?), and md5 fingerprints seem fairly common still? Shouldn't this change at least be proposed upstream before making this change in ubuntu? Making this change only for FIPS would be one thing, but unilaterally changing this for all users might not be appropriate?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Upstream is dead. And while we could send this to Debian, I doubt they would care about an issue that is only important when FIPS is enabled.

As for sha256 vs MD5, OpenSSH switched fingerprints to sha256 in 2014. So while we could attempt to see if FIPS mode is enabled before using MD5, the best solution is to simply switch to what OpenSSH has been using for the past 8 years.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Oh, actually it looks like upstream development moved somewhere else, and is no longer the repo on the sourceforge page.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This appears to be the new repo from which 0.10.3 was obtained:

https://github.com/jbeverly/pam_ssh_agent_auth

We should file a bug there with the patch.

In addition, it looks like OpenSSH uses a "SHA256:" prefix and base64 encodes the fingerprint. We should probably update the patch to do the same.

Tobias Heider (tobhe)
Changed in pam-ssh-agent-auth (Ubuntu Jammy):
status: Fix Released → Fix Committed
Tobias Heider (tobhe)
Changed in pam-ssh-agent-auth (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Tobias Heider (tobhe) wrote :

> We should file a bug there with the patch.
>
> In addition, it looks like OpenSSH uses a "SHA256:" prefix and base64
> encodes the fingerprint. We should probably update the patch to do the
> same.

I updated the patch to also change the encoding and filed an upstream PR at
https://github.com/jbeverly/pam_ssh_agent_auth/pull/37/

Revision history for this message
Tobias Heider (tobhe) wrote :

I ported and tested the fix for impish and focal, see attached debdiff.

Revision history for this message
Tobias Heider (tobhe) wrote :

hey @ddstreet the security certs team would prefer a fix via SRU rather than the FIPS PPA as the changes present a general improvement by getting rid of the deprecated MD5 fingerprints and making them compatible with what `ssk-keygen -l` outputs

Revision history for this message
Tobias Heider (tobhe) wrote :

Here is a new debdiff for focal with improvements proposed by @mdeslaur

Revision history for this message
Tobias Heider (tobhe) wrote :
Marc Deslauriers (mdeslaur)
description: updated
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs in #15 and #16, they look reasonable. Uploaded for processing by the SRU team. Thanks!

Changed in pam-ssh-agent-auth (Ubuntu Focal):
status: Confirmed → In Progress
Changed in pam-ssh-agent-auth (Ubuntu Impish):
status: Confirmed → In Progress
Revision history for this message
Tobias Heider (tobhe) wrote :

one more for bionic

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff in comment #18, except for the unexpected change to 0001-authfd.c-check-return-value-of-seteuid-2.patch. Package uploaded for processing by the SRU team. Thanks!

Changed in pam-ssh-agent-auth (Ubuntu Bionic):
status: Confirmed → In Progress
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Dan, or anyone else affected,

Accepted pam-ssh-agent-auth into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pam-ssh-agent-auth/0.10.3-3ubuntu1.21.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in pam-ssh-agent-auth (Ubuntu Impish):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-impish
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Dan, or anyone else affected,

Accepted pam-ssh-agent-auth into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pam-ssh-agent-auth/0.10.3-3ubuntu1.20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in pam-ssh-agent-auth (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed-focal
Changed in pam-ssh-agent-auth (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Dan, or anyone else affected,

Accepted pam-ssh-agent-auth into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pam-ssh-agent-auth/0.10.3-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Tobias Heider (tobhe) wrote :

I have tested all three packages and they seem to work as intended. The updated packages also log the correct ssh fingerprint. Below is the log output of all versions as well as ssh-keygen -l for comparison.

bionic with version 0.10.3-1ubuntu0.1
sec-bionic-amd64 sudo[11266]: pam_ssh_agent_auth: Found matching RSA key: SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0

focal with version 0.10.3-3ubuntu1.20.04.1:
sec-focal-pam-amd64 sudo[3692]: pam_ssh_agent_auth: Found matching RSA key: SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0

impish version 0.10.3-3ubuntu1.21.10.1:
sec-impish-amd64 sudo[3214]: pam_ssh_agent_auth: Found matching RSA key: SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0

ssh-keygen for comparsion:
user@kischte:~$ ssh-keygen -lf .ssh/id_rsa
4096 SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0 user@kischte (RSA)

I also tested with fips enabled to make sure it no longer segfaults.
On focal with libpam-ssh-agent-auth=0.10.3-3ubuntu1 i got:

user@sec-focal-pam-amd64:~$ sudo ls
Segmentation fault (core dumped)

focal with libpam-ssh-agent-auth=0.10.3-3ubuntu1.20.04.1 fixes the segfault:

user@sec-focal-pam-amd64:~$ sudo ls
test

tags: added: verification-done verification-done-bionic verification-done-focal verification-done-impish
removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-impish
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam-ssh-agent-auth - 0.10.3-3ubuntu1.21.10.1

---------------
pam-ssh-agent-auth (0.10.3-3ubuntu1.21.10.1) impish; urgency=medium

  * debian/patches/fingerprint_sha256.patch: Use SHA256 with base64
    encoding for key fingerprints. MD5 fingerprints are deprecated,
    OpenSSH has switched to SHA256 since OpenSSH 6.8.
    This will make the fingerprints compatible with ssh-keygen -l and allow
    the package to work in FIPS mode. (LP: #1964486)

 -- Tobias Heider <email address hidden> Thu, 17 Mar 2022 15:31:12 +0100

Changed in pam-ssh-agent-auth (Ubuntu Impish):
status: Fix Committed → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Update Released

The verification of the Stable Release Update for pam-ssh-agent-auth has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam-ssh-agent-auth - 0.10.3-3ubuntu1.20.04.1

---------------
pam-ssh-agent-auth (0.10.3-3ubuntu1.20.04.1) focal; urgency=medium

  * debian/patches/fingerprint_sha256.patch: Use SHA256 with base64
    encoding for key fingerprints. MD5 fingerprints are deprecated,
    OpenSSH has switched to SHA256 since OpenSSH 6.8.
    This will make the fingerprints compatible with ssh-keygen -l and allow
    the package to work in FIPS mode. (LP: #1964486)

 -- Tobias Heider <email address hidden> Thu, 17 Mar 2022 15:31:12 +0100

Changed in pam-ssh-agent-auth (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam-ssh-agent-auth - 0.10.3-1ubuntu0.1

---------------
pam-ssh-agent-auth (0.10.3-1ubuntu0.1) bionic; urgency=medium

  * debian/patches/fingerprint_sha256.patch: Use SHA256 with base64
    encoding for key fingerprints. MD5 fingerprints are deprecated,
    OpenSSH has switched to SHA256 since OpenSSH 6.8.
    This will make the fingerprints compatible with ssh-keygen -l and allow
    the package to work in FIPS mode. (LP: #1964486)

 -- Tobias Heider <email address hidden> Mon, 21 Mar 2022 11:07:10 +0100

Changed in pam-ssh-agent-auth (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.