2017-03-07 16:19:34 |
Gautier HUSSON |
bug |
|
|
added bug |
2017-03-08 17:58:45 |
Joshua Powers |
bug watch added |
|
https://bugzilla.mindrot.org/show_bug.cgi?id=2692 |
|
2017-03-08 17:58:45 |
Joshua Powers |
bug task added |
|
openssh |
|
2017-03-08 17:58:59 |
Joshua Powers |
bug |
|
|
added subscriber Joshua Powers |
2017-03-08 22:45:24 |
Gautier HUSSON |
bug watch added |
|
https://github.com/ansible/ansible-modules-extras/issues/2651 |
|
2017-03-13 16:40:02 |
Joshua Powers |
openssh (Ubuntu): importance |
Undecided |
High |
|
2017-03-13 16:40:04 |
Joshua Powers |
openssh (Ubuntu): assignee |
|
Joshua Powers (powersj) |
|
2017-03-13 16:40:06 |
Joshua Powers |
openssh (Ubuntu): status |
New |
In Progress |
|
2017-03-14 18:35:15 |
Colin Watson |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857736 |
|
2017-03-14 18:35:15 |
Colin Watson |
bug task added |
|
openssh (Debian) |
|
2017-03-14 22:40:30 |
Bug Watch Updater |
openssh (Debian): status |
Unknown |
New |
|
2017-03-16 00:42:31 |
Bug Watch Updater |
openssh (Debian): status |
New |
Fix Released |
|
2017-03-16 14:22:46 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Xenial |
|
2017-03-16 14:22:46 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Yakkety |
|
2017-03-16 14:29:33 |
Christian Ehrhardt |
description |
When I use the port option with ssh-keygen, the result is not compatible with ssh known_host file format.
UBUNTU VERSION :
================
lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
BAD :
============
:~/.ssh$ cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
:~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...]
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
# [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Enabling compatibility mode for protocol 2.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
[|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we see the port number because it is not hashed !
GOOD :
============
rm ~/.ssh/known_hosts
:~/$ ssh -p [...port...] [...snip...]
The authenticity of host '[[...snip...]]:[...port...] ([[...snip...]]:[...port...])' can't be established.
ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list of known hosts.
[...snip...]@[...snip...]'s password:
:~/$ !cat
cat ~/.ssh/known_hosts
|1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
|1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we cannot see the port number as it is well hashed !
REMARKS :
==============
Same problem has already reported here (on macOS): https://github.com/ansible/ansible-modules-extras/issues/2651
It seems that ssh-keyscan version and open-ssh version differs :
dpkg -l | grep openssh :: ii openssh-client 1:7.2p2-4ubuntu2.1 [...]
ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
It is very annoying because I am trying to manage hand installed VMs with Ansible. For that I want to automate SSH host keys storing in known_hosts database. And because of this bug I can't. (ansible KIKIN project in development).
Thank you,
BR,
Gautier HUSSON. |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* Further evolving from the simplification Josh provided:
Testcase:
$ release=xenial
$ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-client
$ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-server
$ lxc exec ${release}-test-ssh-port-scan-server -- sed -i 's/Port 22/Port 2222/' /etc/ssh/sshd_config
$ lxc exec ${release}-test-ssh-port-scan-server -- service ssh restart
$ IP=$(lxc exec ${release}-test-ssh-port-scan-server -- hostname --ip-address)
$ lxc exec ${release}-test-ssh-port-scan-client -- ssh-keyscan -H -p 2222 ${IP}
# See the port in the Hash still
# Install the fixed version in *-client and see the port gone from the output
[Regression Potential]
* Change is limited to ssh-keyscan (not any touching other parts of openssh)
* Fix is from upstream (no "Ubuntu special" change)
* Fix is small and "only" changing string creation (11 lines touched)
So overall the regression potential should be low.
[Other Info]
* n/a
---
When I use the port option with ssh-keygen, the result is not compatible with ssh known_host file format.
UBUNTU VERSION :
================
lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
BAD :
============
:~/.ssh$ cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
:~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...]
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
# [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Enabling compatibility mode for protocol 2.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
[|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we see the port number because it is not hashed !
GOOD :
============
rm ~/.ssh/known_hosts
:~/$ ssh -p [...port...] [...snip...]
The authenticity of host '[[...snip...]]:[...port...] ([[...snip...]]:[...port...])' can't be established.
ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list of known hosts.
[...snip...]@[...snip...]'s password:
:~/$ !cat
cat ~/.ssh/known_hosts
|1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
|1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we cannot see the port number as it is well hashed !
REMARKS :
==============
Same problem has already reported here (on macOS): https://github.com/ansible/ansible-modules-extras/issues/2651
It seems that ssh-keyscan version and open-ssh version differs :
dpkg -l | grep openssh :: ii openssh-client 1:7.2p2-4ubuntu2.1 [...]
ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
It is very annoying because I am trying to manage hand installed VMs with Ansible. For that I want to automate SSH host keys storing in known_hosts database. And because of this bug I can't. (ansible KIKIN project in development).
Thank you,
BR,
Gautier HUSSON. |
|
2017-03-23 20:15:41 |
Launchpad Janitor |
openssh (Ubuntu): status |
In Progress |
Fix Released |
|
2017-04-05 07:24:27 |
Christian Ehrhardt |
tags |
|
server-next |
|
2017-04-06 10:05:27 |
Łukasz Zemczak |
bug task added |
|
openssh (Ubuntu Xenial) |
|
2017-04-06 10:05:37 |
Łukasz Zemczak |
bug task added |
|
openssh (Ubuntu Yakkety) |
|
2017-04-06 11:11:25 |
Łukasz Zemczak |
openssh (Ubuntu Yakkety): status |
New |
Fix Committed |
|
2017-04-06 11:11:27 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-04-06 11:11:29 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2017-04-06 11:11:32 |
Łukasz Zemczak |
tags |
server-next |
server-next verification-needed |
|
2017-04-06 11:15:04 |
Łukasz Zemczak |
openssh (Ubuntu Xenial): status |
New |
Fix Committed |
|
2017-04-06 11:43:26 |
Christian Ehrhardt |
description |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* Further evolving from the simplification Josh provided:
Testcase:
$ release=xenial
$ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-client
$ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-server
$ lxc exec ${release}-test-ssh-port-scan-server -- sed -i 's/Port 22/Port 2222/' /etc/ssh/sshd_config
$ lxc exec ${release}-test-ssh-port-scan-server -- service ssh restart
$ IP=$(lxc exec ${release}-test-ssh-port-scan-server -- hostname --ip-address)
$ lxc exec ${release}-test-ssh-port-scan-client -- ssh-keyscan -H -p 2222 ${IP}
# See the port in the Hash still
# Install the fixed version in *-client and see the port gone from the output
[Regression Potential]
* Change is limited to ssh-keyscan (not any touching other parts of openssh)
* Fix is from upstream (no "Ubuntu special" change)
* Fix is small and "only" changing string creation (11 lines touched)
So overall the regression potential should be low.
[Other Info]
* n/a
---
When I use the port option with ssh-keygen, the result is not compatible with ssh known_host file format.
UBUNTU VERSION :
================
lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
BAD :
============
:~/.ssh$ cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
:~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...]
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
# [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Enabling compatibility mode for protocol 2.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
[|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we see the port number because it is not hashed !
GOOD :
============
rm ~/.ssh/known_hosts
:~/$ ssh -p [...port...] [...snip...]
The authenticity of host '[[...snip...]]:[...port...] ([[...snip...]]:[...port...])' can't be established.
ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list of known hosts.
[...snip...]@[...snip...]'s password:
:~/$ !cat
cat ~/.ssh/known_hosts
|1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
|1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we cannot see the port number as it is well hashed !
REMARKS :
==============
Same problem has already reported here (on macOS): https://github.com/ansible/ansible-modules-extras/issues/2651
It seems that ssh-keyscan version and open-ssh version differs :
dpkg -l | grep openssh :: ii openssh-client 1:7.2p2-4ubuntu2.1 [...]
ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
It is very annoying because I am trying to manage hand installed VMs with Ansible. For that I want to automate SSH host keys storing in known_hosts database. And because of this bug I can't. (ansible KIKIN project in development).
Thank you,
BR,
Gautier HUSSON. |
[Impact]
* using ssh-keyscan while using the port (-p) option of it will create
bad entries. They will contain the port and thereby be invalid for
latter use under the purpose of known_hosts.
* Fix by backporting upstream fix.
[Test Case]
* Further evolving from the simplification Josh provided:
Testcase:
$ release=xenial
$ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-client
$ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-server
$ lxc exec ${release}-test-ssh-port-scan-server -- sed -i 's/Port 22/Port 2222/' /etc/ssh/sshd_config
$ lxc exec ${release}-test-ssh-port-scan-server -- service ssh restart
$ IP=$(lxc exec ${release}-test-ssh-port-scan-server -- hostname --ip-address)
$ lxc exec ${release}-test-ssh-port-scan-client -- ssh-keyscan -H -p 2222 ${IP}
# See the port in the Hash still
# Install the fixed version in *-client and see the port gone from the output
[Regression Potential]
* Change is limited to ssh-keyscan (not any touching other parts of openssh)
* Fix is from upstream (no "Ubuntu special" change)
* Fix is small and "only" changing string creation (11 lines touched)
So overall the regression potential should be low.
[Other Info]
* n/a
---
When I use the port option with ssh-keygen, the result is not compatible with ssh known_host file format.
UBUNTU VERSION :
================
lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
BAD :
============
:~/.ssh$ cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
:~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...]
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
# [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Enabling compatibility mode for protocol 2.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
[|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we see the port number because it is not hashed !
GOOD :
============
rm ~/.ssh/known_hosts
:~/$ ssh -p [...port...] [...snip...]
The authenticity of host '[[...snip...]]:[...port...] ([[...snip...]]:[...port...])' can't be established.
ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list of known hosts.
[...snip...]@[...snip...]'s password:
:~/$ !cat
cat ~/.ssh/known_hosts
|1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
|1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we cannot see the port number as it is well hashed !
REMARKS :
==============
Same problem has already reported here (on macOS): https://github.com/ansible/ansible-modules-extras/issues/2651
It seems that ssh-keyscan version and open-ssh version differs :
dpkg -l | grep openssh :: ii openssh-client 1:7.2p2-4ubuntu2.1 [...]
ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
It is very annoying because I am trying to manage hand installed VMs with Ansible. For that I want to automate SSH host keys storing in known_hosts database. And because of this bug I can't. (ansible KIKIN project in development).
Thank you,
BR,
Gautier HUSSON. |
|
2017-04-06 14:50:12 |
Christian Ehrhardt |
tags |
server-next verification-needed |
server-next verification-done |
|
2017-04-19 14:28:28 |
Joshua Powers |
openssh (Ubuntu): assignee |
Joshua Powers (powersj) |
|
|
2017-04-19 14:41:24 |
Joshua Powers |
tags |
server-next verification-done |
server-next verification-done verification-done-xenial verification-done-yakkety |
|
2017-05-10 16:24:12 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-05-10 16:24:24 |
Launchpad Janitor |
openssh (Ubuntu Yakkety): status |
Fix Committed |
Fix Released |
|
2017-05-10 16:34:10 |
Launchpad Janitor |
openssh (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|