2022-03-27 15:15:52 |
Evgeny Morozov |
bug |
|
|
added bug |
2022-03-28 14:46:49 |
Lena Voytek |
nominated for series |
|
Ubuntu Impish |
|
2022-03-28 14:46:49 |
Lena Voytek |
bug task added |
|
openssh (Ubuntu Impish) |
|
2022-03-28 14:46:49 |
Lena Voytek |
nominated for series |
|
Ubuntu Focal |
|
2022-03-28 14:46:49 |
Lena Voytek |
bug task added |
|
openssh (Ubuntu Focal) |
|
2022-03-28 14:46:49 |
Lena Voytek |
nominated for series |
|
Ubuntu Jammy |
|
2022-03-28 14:46:49 |
Lena Voytek |
bug task added |
|
openssh (Ubuntu Jammy) |
|
2022-03-28 14:46:49 |
Lena Voytek |
nominated for series |
|
Ubuntu Bionic |
|
2022-03-28 14:46:49 |
Lena Voytek |
bug task added |
|
openssh (Ubuntu Bionic) |
|
2022-03-28 14:46:56 |
Lena Voytek |
openssh (Ubuntu Impish): status |
New |
Fix Released |
|
2022-03-28 14:46:59 |
Lena Voytek |
openssh (Ubuntu Jammy): status |
New |
Fix Released |
|
2022-03-28 14:47:02 |
Lena Voytek |
openssh (Ubuntu Bionic): status |
New |
Confirmed |
|
2022-03-28 14:47:06 |
Lena Voytek |
openssh (Ubuntu Focal): status |
New |
Confirmed |
|
2022-03-28 14:47:31 |
Lena Voytek |
bug |
|
|
added subscriber Ubuntu Server |
2022-03-28 14:47:41 |
Lena Voytek |
tags |
|
server-todo |
|
2022-03-30 22:53:24 |
Sergio Durigan Junior |
bug watch added |
|
https://bugzilla.mindrot.org/show_bug.cgi?id=3146 |
|
2022-03-30 22:53:24 |
Sergio Durigan Junior |
bug task added |
|
openssh |
|
2022-03-31 03:25:23 |
Sergio Durigan Junior |
openssh (Ubuntu Bionic): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
2022-03-31 03:25:25 |
Sergio Durigan Junior |
openssh (Ubuntu Focal): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
2022-03-31 03:25:27 |
Sergio Durigan Junior |
openssh (Ubuntu Bionic): status |
Confirmed |
Triaged |
|
2022-03-31 03:25:30 |
Sergio Durigan Junior |
openssh (Ubuntu Bionic): status |
Triaged |
In Progress |
|
2022-03-31 03:25:32 |
Sergio Durigan Junior |
openssh (Ubuntu Focal): status |
Confirmed |
In Progress |
|
2022-03-31 03:25:40 |
Sergio Durigan Junior |
bug |
|
|
added subscriber Sergio Durigan Junior |
2022-03-31 14:44:53 |
Sergio Durigan Junior |
description |
When I use ssh-keygen -R to remove a host from known_hosts it changes permissions on the file. This causes problems particularly when used on the global known hosts file (/etc/ssh/ssh_known_hosts), because then only root can read it. Programs running non-interactively as non-root users suddenly fail to SSH and it's not immediately obvious why.
To reproduce:
$ ssh-keyscan github.com >test_known_hosts
$ chmod 741 test_known_hosts
$ ssh-keygen -R github.com -f test_known_hosts
$ stat test_known_hosts
...
Access: (0600/-rw-------) ...
Expected behavior: file permissions remain unchanged (mode 0741 in this example).
$ lsb_release -rd
Description: Ubuntu 18.04.6 LTS
Release: 18.04
$ apt-cache policy openssh-client
openssh-client:
Installed: 1:7.6p1-4ubuntu0.6 |
[Impact]
When using "ssh-keygen -R" to remove a host from "known_hosts" the command changes permissions on the file. This can cause problems particularly when used on the global "known_hosts" file (/etc/ssh/ssh_known_hosts), because then only root can read it. Programs running non-interactively as non-root users suddenly fail to SSH and it's not immediately obvious why.
[Test Plan]
The problem happens on Bionic and Focal.
$ lxc launch ubuntu-daily:focal openssh-bug1966591
$ lxc shell openssh-bug1966591
# ssh-keyscan github.com > test_known_hosts
# chmod 644 test_known_hosts
# ssh-keygen -R github.com -f test_known_hosts
# stat test_known_hosts
...
Access: (0600/-rw-------) ...
...
[Where problems could occur]
The upstream patch is very simple and it is unlikely that it will cause any regressions. An indirect problem that could occur is that users might expect to see a more strict set of permissions on a "known_hosts" file after using "ssh-keygen -R", but arguably this is not defined behaviour and should not be relied upon. Of course, there is always a (very) small risk of introducing problems when rebuilding packages using newer versions of its dependencies (especially on Bionic, because it's older).
[Original Description]
When I use ssh-keygen -R to remove a host from known_hosts it changes permissions on the file. This causes problems particularly when used on the global known hosts file (/etc/ssh/ssh_known_hosts), because then only root can read it. Programs running non-interactively as non-root users suddenly fail to SSH and it's not immediately obvious why.
To reproduce:
$ ssh-keyscan github.com >test_known_hosts
$ chmod 741 test_known_hosts
$ ssh-keygen -R github.com -f test_known_hosts
$ stat test_known_hosts
...
Access: (0600/-rw-------) ...
Expected behavior: file permissions remain unchanged (mode 0741 in this example).
$ lsb_release -rd
Description: Ubuntu 18.04.6 LTS
Release: 18.04
$ apt-cache policy openssh-client
openssh-client:
Installed: 1:7.6p1-4ubuntu0.6 |
|
2022-03-31 20:59:59 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/openssh/+git/openssh/+merge/418099 |
|
2022-03-31 21:00:03 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/openssh/+git/openssh/+merge/418100 |
|
2022-03-31 21:00:47 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/openssh/+git/openssh/+merge/418101 |
|
2022-03-31 21:01:00 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/openssh/+git/openssh/+merge/418102 |
|
2022-04-12 23:05:21 |
Brian Murray |
openssh (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2022-04-12 23:05:24 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-04-12 23:05:29 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2022-04-12 23:05:34 |
Brian Murray |
tags |
server-todo |
server-todo verification-needed verification-needed-focal |
|
2022-04-12 23:07:18 |
Brian Murray |
openssh (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2022-04-12 23:07:26 |
Brian Murray |
tags |
server-todo verification-needed verification-needed-focal |
server-todo verification-needed verification-needed-bionic verification-needed-focal |
|
2022-04-13 09:01:54 |
Evgeny Morozov |
tags |
server-todo verification-needed verification-needed-bionic verification-needed-focal |
server-todo verification-done-bionic verification-needed verification-needed-focal |
|
2022-04-13 21:58:12 |
Sergio Durigan Junior |
tags |
server-todo verification-done-bionic verification-needed verification-needed-focal |
verification-done-bionic verification-done-focal |
|
2022-05-11 22:48:17 |
Launchpad Janitor |
openssh (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2022-05-11 22:48:26 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2022-05-11 22:49:33 |
Launchpad Janitor |
openssh (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|