openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
High
|
Andreas Hasenack | ||
Jammy |
Fix Released
|
High
|
Andreas Hasenack | ||
Mantic |
Fix Released
|
High
|
Andreas Hasenack | ||
Noble |
Fix Released
|
High
|
Andreas Hasenack |
Bug Description
[ Impact ]
The gssapi-keyex authentication mechanism has been inadvertently broken in openssh. It comes from a distro patch[1], and while the patch still applied, it was no longer correct.
Without the fix, sshd will fail to start if gssapi-keyex is listed in the AuthenticationM
[ Test Plan ]
This update, besides fixing the patch, also adds a new autopkgtest to the package, which tests both gssapi-with-mic ("normal" gssapi, which is not affected by this bug), and gssapi-keyex, which, before this update, did not work.
The test plan is to run the new ssh-gssapi autopkgtest and verify it succeeds.
[ Where problems could occur ]
ssh is a critical piece of infrastructure, and problems with it could have catastrophic consequences. The service itself has a test command before it starts up to verify the syntax of the config file, but that test is not applied on shutdown, so a restart with an invalid config file could still leave sshd dead.
The patch adds a change to an authentication structure, but that change is already present in the upstream code, and we are just updating it in the new gssapi-keyex code (introduced by the distro[1] patch, already present). Therefore, mistakes here should manifest themselves just in the gssapi-keyex code, which wasn't working anyway. Effectively, though, we are enabling a new authentication mechanism in sshd, one that was not supposed to have been removed, but was broken by mistake.
[ Other Info ]
The fact no-one noticed this problem for more than two years could be telling that there are not many users of this authentication mechanism out there. The same applies to debian: it has also been broken for a while there. Maybe we should drop it for future ubuntu releases, since upstream refuses to take it in.
1. https:/
[ Original Description ]
The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/
The struct was changed in upstream commit dbb339f015c33d6
===
@@ -104,7 +104,8 @@ struct Authctxt {
struct Authmethod {
char *name;
- int (*userauth)(struct ssh *);
+ char *synonym;
+ int (*userauth)(struct ssh *, const char *);
int *enabled;
};
===
The incorrect code does
===
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ &options.
+};
===
but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex
This is now (change from Focal) causing gssapi-keyex to be disabled.
===
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
===
apt-cache policy openssh-server
openssh-server:
Installed: 1:8.9p1-3ubuntu0.6
Candidate: 1:8.9p1-3ubuntu0.6
Version table:
*** 1:8.9p1-3ubuntu0.6 500
500 http://
500 http://
100 /var/lib/
1:8.9p1-3 500
500 http://
===
Related branches
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 331 lines (+265/-3)5 files modifieddebian/changelog (+11/-0)
debian/patches/gssapi.patch (+12/-3)
debian/tests/control (+6/-0)
debian/tests/ssh-gssapi (+160/-0)
debian/tests/util (+76/-0)
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 331 lines (+265/-3)5 files modifieddebian/changelog (+11/-0)
debian/patches/gssapi.patch (+12/-3)
debian/tests/control (+6/-0)
debian/tests/ssh-gssapi (+160/-0)
debian/tests/util (+76/-0)
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 327 lines (+261/-3)5 files modifieddebian/changelog (+11/-0)
debian/patches/gssapi.patch (+12/-3)
debian/tests/control (+6/-0)
debian/tests/ssh-gssapi (+156/-0)
debian/tests/util (+76/-0)
summary: |
- openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex mathod is + openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong |
Changed in openssh (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in openssh (Ubuntu): | |
status: | Incomplete → In Progress |
Changed in openssh (Ubuntu Mantic): | |
status: | New → In Progress |
Changed in openssh (Ubuntu Jammy): | |
status: | New → In Progress |
description: | updated |
description: | updated |
Changed in openssh (Ubuntu Noble): | |
importance: | Critical → High |
Changed in openssh (Ubuntu Mantic): | |
importance: | Undecided → High |
Changed in openssh (Ubuntu Jammy): | |
importance: | Undecided → High |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in openssh (Ubuntu Mantic): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
description: | updated |
description: | updated |
Status changed to 'Confirmed' because the bug affects multiple users.