Issue on sshd finds correct private key for a certificate when using ssh-agent
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Chloé Smith | ||
Hirsute |
Fix Released
|
Undecided
|
Chloé Smith | ||
Impish |
Fix Released
|
Undecided
|
Utkarsh Gupta |
Bug Description
Reported as https:/
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function ` `sshkey_
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_
sensitive_
[https:/
/* Find matching private key */
for (j = 0; j < options.
if (sshkey_
sensitive_
sensitive_
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.
if (sshkey_
sensitive_
sensitive_
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
Related branches
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 294 lines (+206/-17) (has conflicts)8 files modifieddebian/changelog (+41/-0)
debian/control (+9/-0)
debian/patches/CVE-2021-28041.patch (+14/-0)
debian/patches/lp-1876320-upstream-Do-not-call-process_queued_listen_addrs-for.patch (+59/-0)
debian/patches/lp1966591-upstream-preserve-group-world-read-permission-on-kno.patch (+46/-0)
debian/patches/match-host-certs-w-public-keys.patch (+30/-0)
debian/patches/series (+7/-0)
dev/null (+0/-17)
- Utkarsh Gupta (community): Approve
-
Diff: 61 lines (+39/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/match-host-certs-w-public-keys.patch (+30/-0)
debian/patches/series (+1/-0)
- Utkarsh Gupta (community): Approve
- Canonical Server packageset reviewers: Pending requested
-
Diff: 61 lines (+39/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/match-host-certs-w-public-keys.patch (+30/-0)
debian/patches/series (+1/-0)
- Chloé Smith (community): Approve
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 61 lines (+39/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/match-host-certs-w-public-keys.patch (+30/-0)
debian/patches/series (+1/-0)
Changed in openssh (Ubuntu): | |
status: | New → Fix Released |
description: | updated |
Changed in openssh (Ubuntu Impish): | |
assignee: | nobody → Utkarsh Gupta (utkarsh) |
Changed in openssh (Ubuntu Hirsute): | |
assignee: | nobody → Chloé Smith (kajiya) |
Changed in openssh (Ubuntu Focal): | |
assignee: | nobody → Chloé Smith (kajiya) |
Hello Utkarsh, or anyone else affected,
Accepted openssh into impish-proposed. The package will build now and be available at https:/ /launchpad. net/ubuntu/ +source/ openssh/ 1:8.4p1- 6ubuntu2. 1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification- needed- impish to verification- done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed- impish. In either case, without details of your testing we will not be able to proceed.
Further information regarding the verification process can be found at https:/ /wiki.ubuntu. com/QATeam/ PerformingSRUVe rification . Thank you in advance for helping!
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.