OpenSSH Client Certificate Auth Regression

Bug #1575961 reported by Paul Querna on 2016-04-27
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
High
Colin Watson
Xenial
High
Colin Watson

Bug Description

OpenSSH Client Certificates worked in Ubuntu 15.10 and 14.04 LTS -- but not 16.04.

OpenSSH 7.2.p2 includes a bug in how it loads keys & certificates, and basically will never find the correct private key for an OpenSSH Client Certificate.

This is the upstream bug:

https://bugzilla.mindrot.org/show_bug.cgi?id=2550

Fix was committed on March 14:

https://github.com/openssh/openssh-portable/commit/c38905ba391434834da86abfc988a2b8b9b62477

I've tested with the attached patch, and it allows Client Certificate auth to work at all.

Paul Querna (pquerna) wrote :

The attachment "unbreak-certificate-auth.dpatch" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Colin Watson (cjwatson) on 2016-04-28
Changed in openssh (Ubuntu):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
no longer affects: openssh (Ubuntu Trusty)
Changed in openssh (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → High
Colin Watson (cjwatson) on 2016-04-28
Changed in openssh (Ubuntu):
status: Triaged → Fix Committed
Colin Watson (cjwatson) on 2016-04-28
Changed in openssh (Ubuntu Xenial):
status: Triaged → In Progress
assignee: nobody → Colin Watson (cjwatson)

Hello Paul, or anyone else affected,

Accepted openssh into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:7.2p2-4ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openssh (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Paul Querna (pquerna) wrote :

Thanks for the quick response, with openssh-client_7.2p2-4ubuntu1_amd64.deb installed I am able to use SSH Client Certificates again!

Colin Watson (cjwatson) on 2016-04-28
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:7.2p2-5

---------------
openssh (1:7.2p2-5) unstable; urgency=medium

  * Backport upstream patch to unbreak authentication using lone certificate
    keys in ssh-agent: when attempting pubkey auth with a certificate, if no
    separate private key is found among the keys then try with the
    certificate key itself (thanks, Paul Querna; LP: #1575961).

 -- Colin Watson <email address hidden> Thu, 28 Apr 2016 01:52:01 +0100

Changed in openssh (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:7.2p2-4ubuntu1

---------------
openssh (1:7.2p2-4ubuntu1) xenial; urgency=medium

  * Backport upstream patch to unbreak authentication using lone certificate
    keys in ssh-agent: when attempting pubkey auth with a certificate, if no
    separate private key is found among the keys then try with the
    certificate key itself (thanks, Paul Querna; LP: #1575961).

 -- Colin Watson <email address hidden> Thu, 28 Apr 2016 01:57:51 +0100

Changed in openssh (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for openssh has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers