hardy ppc (ports.ubuntu.com) includes broken (old) openssh-client package which only generates comprimized keys.

Bug #287256 reported by b on 2008-10-21
256
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Undecided
Unassigned

Bug Description

The version of openssh-client included in hardy for ppc (from ports.ubuntu.com) will only create compromised keys.
Additionally the version on ppc does not even include ssh-vulnkey.

On the ppc machine:

bbogart@ubuntu:~$ dpkg -l openssh-client | grep ^ii
ii openssh-client 1:4.7p1-8ubuntu1 secure shell client, an rlogin/rsh/rcp replacement
bbogart@ubuntu:~$ dpkg -L openssh-client | grep vuln
bbogart@ubuntu:~$

On the x86 machine:

bbogart@aporia:~$ dpkg -l openssh-client | grep ^ii
ii openssh-client 1:4.7p1-8ubuntu1.2 secure shell client, an rlogin/rsh/rcp replacement
bbogart@aporia:~$ dpkg -L openssh-client | grep vuln
/usr/share/man/man1/ssh-vulnkey.1.gz
/usr/bin/ssh-vulnkey

Here is the whole testing transaction for key generation on the ppc machine:

bbogart@ubuntu:~$ uname -a
Linux ubuntu 2.6.24-16-powerpc #1 Thu Apr 10 12:48:35 UTC 2008 ppc GNU/Linux
bbogart@ubuntu:~$ ssh-keygen -t rsa -f test
Generating public/private rsa key pair.
test already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in test.
Your public key has been saved in test.pub.
The key fingerprint is:
40:5d:14:f9:b7:b3:2a:4c:05:db:28:62:e0:f1:19:32 bbogart@ubuntu
bbogart@ubuntu:~$ scp test.pub aporia:
bbogart@aporia's password:
test.pub 100% 396 0.4KB/s 00:00
bbogart@ubuntu:~$ ssh aporia
bbogart@aporia's password:
Linux aporia 2.6.24-19-rt #1 SMP PREEMPT RT Thu Aug 21 02:08:03 UTC 2008 i686
...
bbogart@aporia:~$ ssh-vulnkey test.pub
COMPROMISED: 2048 40:5d:14:f9:b7:b3:2a:4c:05:db:28:62:e0:f1:19:32 bbogart@ubuntu

Should ppc bugs be reported somewhere else? (ports.ubuntu.com specific?)

Thanks,
.b.

Charlie Kravetz (charlie-tca) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. This bug did not have a package associated with it, which is important for ensuring that it gets looked at by the proper developers. You can learn more about finding the right package at https://wiki.ubuntu.com/Bugs/FindRightPackage . I have classified this bug as a bug in openssh.
For future reference you might be interested to know that a lot of applications have bug reporting functionality built in to them. This can be accessed via the Report a Problem option in the Help menu for the application with which you are having an issue. You can learn more about this feature at https://wiki.ubuntu.com/ReportingBugs.

Charlie Kravetz (charlie-tca) wrote :

I add the Security vulnerability tag to this bug, since correct ssh keys can not be created.
Thanks for reporting this bug.

Colin Watson (cjwatson) wrote :

This security vulnerability was discovered after the original release of hardy, and updated packages were issued long ago for all architectures, including powerpc. It sounds like you have not applied security updates to your system. The master archive shows;

  openssh-client | 1:4.7p1-8ubuntu1 | hardy | amd64, hppa, i386, ia64, lpia, powerpc, sparc
  openssh-client | 1:4.7p1-8ubuntu1.2 | hardy-security | amd64, hppa, i386, ia64, lpia, powerpc, sparc
  openssh-client | 1:4.7p1-8ubuntu1.2 | hardy-updates | amd64, hppa, i386, ia64, lpia, powerpc, sparc

Make sure that the following lines are in /etc/apt/sources.list:

  deb http://ports.ubuntu.com/ubuntu-ports hardy-security main restricted universe multiverse
  deb-src http://ports.ubuntu.com/ubuntu-ports hardy-security main restricted universe multiverse
  deb http://ports.ubuntu.com/ubuntu-ports hardy-updates main restricted universe multiverse
  deb-src http://ports.ubuntu.com/ubuntu-ports hardy-updates main restricted universe multiverse

Then press "Check" followed by "Install Updates" in System -> Administration -> Update Manager, or run 'sudo apt-get update' and 'sudo apt-get dist-upgrade', or whatever other upgrade method you prefer.

I don't know why your system wasn't already fixed. Perhaps you simply didn't apply security updates for some reason, or perhaps you ran into some installer bug that meant that hardy-security wasn't in sources.list (though I'm astonished that at least hardy-updates wasn't there). I am confident that all such installer bugs have been fixed by now, although of course this is one area where it's particularly difficult to issue updates effectively!

Changed in openssh:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers