2024-02-14 15:19:12 |
ake sandgren |
bug |
|
|
added bug |
2024-02-14 15:20:58 |
Launchpad Janitor |
openssh (Ubuntu): status |
New |
Confirmed |
|
2024-02-14 15:24:24 |
ake sandgren |
summary |
openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex mathod is slightly wrong |
openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong |
|
2024-02-15 12:03:40 |
Paride Legovini |
openssh (Ubuntu): status |
Confirmed |
Incomplete |
|
2024-02-19 13:28:30 |
Robie Basak |
openssh (Ubuntu): importance |
Undecided |
Critical |
|
2024-02-19 13:28:38 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Server |
2024-02-19 13:28:42 |
Robie Basak |
tags |
|
server-todo |
|
2024-03-06 16:20:13 |
Bryce Harrington |
openssh (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
2024-03-13 12:31:03 |
Andreas Hasenack |
openssh (Ubuntu): status |
Incomplete |
In Progress |
|
2024-03-13 21:38:09 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Jammy |
|
2024-03-13 21:38:09 |
Andreas Hasenack |
bug task added |
|
openssh (Ubuntu Jammy) |
|
2024-03-13 21:38:09 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Noble |
|
2024-03-13 21:38:09 |
Andreas Hasenack |
bug task added |
|
openssh (Ubuntu Noble) |
|
2024-03-13 21:38:09 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Mantic |
|
2024-03-13 21:38:09 |
Andreas Hasenack |
bug task added |
|
openssh (Ubuntu Mantic) |
|
2024-03-13 21:38:17 |
Andreas Hasenack |
openssh (Ubuntu Mantic): status |
New |
In Progress |
|
2024-03-13 21:38:19 |
Andreas Hasenack |
openssh (Ubuntu Jammy): status |
New |
In Progress |
|
2024-03-14 10:50:49 |
Colin Watson |
bug |
|
|
added subscriber Colin Watson |
2024-03-15 17:04:48 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462514 |
|
2024-03-15 17:06:53 |
Andreas Hasenack |
description |
The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as
===
@@ -104,7 +104,8 @@ struct Authctxt {
struct Authmethod {
char *name;
- int (*userauth)(struct ssh *);
+ char *synonym;
+ int (*userauth)(struct ssh *, const char *);
int *enabled;
};
===
The incorrect code does
===
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
===
but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex
This is now (change from Focal) causing gssapi-keyex to be disabled.
===
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
===
apt-cache policy openssh-server
openssh-server:
Installed: 1:8.9p1-3ubuntu0.6
Candidate: 1:8.9p1-3ubuntu0.6
Version table:
*** 1:8.9p1-3ubuntu0.6 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1:8.9p1-3 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages
=== |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
* if other testing is appropriate to perform before landing this update,
this should also be described here.
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[ Original Description ]
The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as
===
@@ -104,7 +104,8 @@ struct Authctxt {
struct Authmethod {
char *name;
- int (*userauth)(struct ssh *);
+ char *synonym;
+ int (*userauth)(struct ssh *, const char *);
int *enabled;
};
===
The incorrect code does
===
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
===
but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex
This is now (change from Focal) causing gssapi-keyex to be disabled.
===
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
===
apt-cache policy openssh-server
openssh-server:
Installed: 1:8.9p1-3ubuntu0.6
Candidate: 1:8.9p1-3ubuntu0.6
Version table:
*** 1:8.9p1-3ubuntu0.6 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1:8.9p1-3 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages
=== |
|
2024-03-15 17:14:58 |
Andreas Hasenack |
description |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
* if other testing is appropriate to perform before landing this update,
this should also be described here.
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[ Original Description ]
The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as
===
@@ -104,7 +104,8 @@ struct Authctxt {
struct Authmethod {
char *name;
- int (*userauth)(struct ssh *);
+ char *synonym;
+ int (*userauth)(struct ssh *, const char *);
int *enabled;
};
===
The incorrect code does
===
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
===
but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex
This is now (change from Focal) causing gssapi-keyex to be disabled.
===
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
===
apt-cache policy openssh-server
openssh-server:
Installed: 1:8.9p1-3ubuntu0.6
Candidate: 1:8.9p1-3ubuntu0.6
Version table:
*** 1:8.9p1-3ubuntu0.6 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1:8.9p1-3 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages
=== |
[ Impact ]
The gssapi-keyex authentication mechanism has been inadvertently broken in openssh. It comes from a distro patch[1], and while the patch still applied, it was no longer correct.
Without the fix, sshd will fail to start if gssapi-keyex is listed in the AuthenticationMethods of the server, and if not, sshd will still start, but gssapi-keyex will not be available.
[ Test Plan ]
This update adds a new autopkgtest to the package, which tests both gssapi-with-mic ("normal" gssapi, which is not affected by this bug), and gssapi-keyex, which, before this update, does not work.
The test plan is to run the new ssh-gssapi autopkgtest and verify it succeeds.
[ Where problems could occur ]
ssh is a critical piece of infrastructure, and problems with it could have catastrophic consequences. The service itself has a test command before it starts up to verify the syntax of the config file, but that test is not applied on shutdown, so a restart with an invalid config file could still leave sshd dead.
The patch adds a change to an authentication structure, but that change is already present in the upstream code, and we are just updating it in the new gssapi-keyex code (introduced by the distro[1] patch, already present). Therefore, mistakes here should manifest themselves just in the gssapi-keyex code, which wasn't working anyway. Effectively, though, we are enabling a new authentication mechanism in sshd, one that was not supposed to have been removed, but was broken by mistake.
[ Other Info ]
The fact no-one noticed this problem for more than two years could be telling that there are not many users of this authentication mechanism out there. The same applies to debian: it has also been broken for a while there. Maybe we should drop it for future ubuntu releases, since upstream refuses to take it in.
[ Original Description ]
The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as
===
@@ -104,7 +104,8 @@ struct Authctxt {
struct Authmethod {
char *name;
- int (*userauth)(struct ssh *);
+ char *synonym;
+ int (*userauth)(struct ssh *, const char *);
int *enabled;
};
===
The incorrect code does
===
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
===
but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex
This is now (change from Focal) causing gssapi-keyex to be disabled.
===
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
===
apt-cache policy openssh-server
openssh-server:
Installed: 1:8.9p1-3ubuntu0.6
Candidate: 1:8.9p1-3ubuntu0.6
Version table:
*** 1:8.9p1-3ubuntu0.6 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1:8.9p1-3 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages
=== |
|
2024-03-15 17:54:02 |
Andreas Hasenack |
openssh (Ubuntu Noble): importance |
Critical |
High |
|
2024-03-15 17:54:03 |
Andreas Hasenack |
openssh (Ubuntu Mantic): importance |
Undecided |
High |
|
2024-03-15 17:54:05 |
Andreas Hasenack |
openssh (Ubuntu Jammy): importance |
Undecided |
High |
|
2024-03-15 17:54:07 |
Andreas Hasenack |
openssh (Ubuntu Jammy): assignee |
|
Andreas Hasenack (ahasenack) |
|
2024-03-15 17:54:09 |
Andreas Hasenack |
openssh (Ubuntu Mantic): assignee |
|
Andreas Hasenack (ahasenack) |
|
2024-03-17 15:24:53 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462552 |
|
2024-03-17 15:27:00 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462553 |
|
2024-03-24 21:43:13 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Andreas Hasenack |
2024-03-28 08:00:13 |
Launchpad Janitor |
openssh (Ubuntu Noble): status |
In Progress |
Fix Released |
|
2024-04-05 13:49:52 |
Timo Aaltonen |
openssh (Ubuntu Mantic): status |
In Progress |
Fix Committed |
|
2024-04-05 13:49:55 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2024-04-05 13:49:56 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
2024-04-05 13:49:58 |
Timo Aaltonen |
tags |
server-todo |
server-todo verification-needed verification-needed-mantic |
|
2024-04-05 13:51:34 |
Timo Aaltonen |
openssh (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2024-04-05 13:51:40 |
Timo Aaltonen |
tags |
server-todo verification-needed verification-needed-mantic |
server-todo verification-needed verification-needed-jammy verification-needed-mantic |
|
2024-04-08 13:54:02 |
Andreas Hasenack |
description |
[ Impact ]
The gssapi-keyex authentication mechanism has been inadvertently broken in openssh. It comes from a distro patch[1], and while the patch still applied, it was no longer correct.
Without the fix, sshd will fail to start if gssapi-keyex is listed in the AuthenticationMethods of the server, and if not, sshd will still start, but gssapi-keyex will not be available.
[ Test Plan ]
This update adds a new autopkgtest to the package, which tests both gssapi-with-mic ("normal" gssapi, which is not affected by this bug), and gssapi-keyex, which, before this update, does not work.
The test plan is to run the new ssh-gssapi autopkgtest and verify it succeeds.
[ Where problems could occur ]
ssh is a critical piece of infrastructure, and problems with it could have catastrophic consequences. The service itself has a test command before it starts up to verify the syntax of the config file, but that test is not applied on shutdown, so a restart with an invalid config file could still leave sshd dead.
The patch adds a change to an authentication structure, but that change is already present in the upstream code, and we are just updating it in the new gssapi-keyex code (introduced by the distro[1] patch, already present). Therefore, mistakes here should manifest themselves just in the gssapi-keyex code, which wasn't working anyway. Effectively, though, we are enabling a new authentication mechanism in sshd, one that was not supposed to have been removed, but was broken by mistake.
[ Other Info ]
The fact no-one noticed this problem for more than two years could be telling that there are not many users of this authentication mechanism out there. The same applies to debian: it has also been broken for a while there. Maybe we should drop it for future ubuntu releases, since upstream refuses to take it in.
[ Original Description ]
The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as
===
@@ -104,7 +104,8 @@ struct Authctxt {
struct Authmethod {
char *name;
- int (*userauth)(struct ssh *);
+ char *synonym;
+ int (*userauth)(struct ssh *, const char *);
int *enabled;
};
===
The incorrect code does
===
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
===
but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex
This is now (change from Focal) causing gssapi-keyex to be disabled.
===
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
===
apt-cache policy openssh-server
openssh-server:
Installed: 1:8.9p1-3ubuntu0.6
Candidate: 1:8.9p1-3ubuntu0.6
Version table:
*** 1:8.9p1-3ubuntu0.6 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1:8.9p1-3 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages
=== |
[ Impact ]
The gssapi-keyex authentication mechanism has been inadvertently broken in openssh. It comes from a distro patch[1], and while the patch still applied, it was no longer correct.
Without the fix, sshd will fail to start if gssapi-keyex is listed in the AuthenticationMethods of the server, and if not, sshd will still start, but gssapi-keyex will not be available.
[ Test Plan ]
This update adds a new autopkgtest to the package, which tests both gssapi-with-mic ("normal" gssapi, which is not affected by this bug), and gssapi-keyex, which, before this update, does not work.
The test plan is to run the new ssh-gssapi autopkgtest and verify it succeeds.
[ Where problems could occur ]
ssh is a critical piece of infrastructure, and problems with it could have catastrophic consequences. The service itself has a test command before it starts up to verify the syntax of the config file, but that test is not applied on shutdown, so a restart with an invalid config file could still leave sshd dead.
The patch adds a change to an authentication structure, but that change is already present in the upstream code, and we are just updating it in the new gssapi-keyex code (introduced by the distro[1] patch, already present). Therefore, mistakes here should manifest themselves just in the gssapi-keyex code, which wasn't working anyway. Effectively, though, we are enabling a new authentication mechanism in sshd, one that was not supposed to have been removed, but was broken by mistake.
[ Other Info ]
The fact no-one noticed this problem for more than two years could be telling that there are not many users of this authentication mechanism out there. The same applies to debian: it has also been broken for a while there. Maybe we should drop it for future ubuntu releases, since upstream refuses to take it in.
1. https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/gssapi.patch
[ Original Description ]
The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as
===
@@ -104,7 +104,8 @@ struct Authctxt {
struct Authmethod {
char *name;
- int (*userauth)(struct ssh *);
+ char *synonym;
+ int (*userauth)(struct ssh *, const char *);
int *enabled;
};
===
The incorrect code does
===
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
===
but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex
This is now (change from Focal) causing gssapi-keyex to be disabled.
===
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
===
apt-cache policy openssh-server
openssh-server:
Installed: 1:8.9p1-3ubuntu0.6
Candidate: 1:8.9p1-3ubuntu0.6
Version table:
*** 1:8.9p1-3ubuntu0.6 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1:8.9p1-3 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages
=== |
|
2024-04-08 13:54:37 |
Andreas Hasenack |
description |
[ Impact ]
The gssapi-keyex authentication mechanism has been inadvertently broken in openssh. It comes from a distro patch[1], and while the patch still applied, it was no longer correct.
Without the fix, sshd will fail to start if gssapi-keyex is listed in the AuthenticationMethods of the server, and if not, sshd will still start, but gssapi-keyex will not be available.
[ Test Plan ]
This update adds a new autopkgtest to the package, which tests both gssapi-with-mic ("normal" gssapi, which is not affected by this bug), and gssapi-keyex, which, before this update, does not work.
The test plan is to run the new ssh-gssapi autopkgtest and verify it succeeds.
[ Where problems could occur ]
ssh is a critical piece of infrastructure, and problems with it could have catastrophic consequences. The service itself has a test command before it starts up to verify the syntax of the config file, but that test is not applied on shutdown, so a restart with an invalid config file could still leave sshd dead.
The patch adds a change to an authentication structure, but that change is already present in the upstream code, and we are just updating it in the new gssapi-keyex code (introduced by the distro[1] patch, already present). Therefore, mistakes here should manifest themselves just in the gssapi-keyex code, which wasn't working anyway. Effectively, though, we are enabling a new authentication mechanism in sshd, one that was not supposed to have been removed, but was broken by mistake.
[ Other Info ]
The fact no-one noticed this problem for more than two years could be telling that there are not many users of this authentication mechanism out there. The same applies to debian: it has also been broken for a while there. Maybe we should drop it for future ubuntu releases, since upstream refuses to take it in.
1. https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/gssapi.patch
[ Original Description ]
The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as
===
@@ -104,7 +104,8 @@ struct Authctxt {
struct Authmethod {
char *name;
- int (*userauth)(struct ssh *);
+ char *synonym;
+ int (*userauth)(struct ssh *, const char *);
int *enabled;
};
===
The incorrect code does
===
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
===
but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex
This is now (change from Focal) causing gssapi-keyex to be disabled.
===
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
===
apt-cache policy openssh-server
openssh-server:
Installed: 1:8.9p1-3ubuntu0.6
Candidate: 1:8.9p1-3ubuntu0.6
Version table:
*** 1:8.9p1-3ubuntu0.6 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1:8.9p1-3 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages
=== |
[ Impact ]
The gssapi-keyex authentication mechanism has been inadvertently broken in openssh. It comes from a distro patch[1], and while the patch still applied, it was no longer correct.
Without the fix, sshd will fail to start if gssapi-keyex is listed in the AuthenticationMethods of the server, and if not, sshd will still start, but gssapi-keyex will not be available.
[ Test Plan ]
This update, besides fixing the patch, also adds a new autopkgtest to the package, which tests both gssapi-with-mic ("normal" gssapi, which is not affected by this bug), and gssapi-keyex, which, before this update, did not work.
The test plan is to run the new ssh-gssapi autopkgtest and verify it succeeds.
[ Where problems could occur ]
ssh is a critical piece of infrastructure, and problems with it could have catastrophic consequences. The service itself has a test command before it starts up to verify the syntax of the config file, but that test is not applied on shutdown, so a restart with an invalid config file could still leave sshd dead.
The patch adds a change to an authentication structure, but that change is already present in the upstream code, and we are just updating it in the new gssapi-keyex code (introduced by the distro[1] patch, already present). Therefore, mistakes here should manifest themselves just in the gssapi-keyex code, which wasn't working anyway. Effectively, though, we are enabling a new authentication mechanism in sshd, one that was not supposed to have been removed, but was broken by mistake.
[ Other Info ]
The fact no-one noticed this problem for more than two years could be telling that there are not many users of this authentication mechanism out there. The same applies to debian: it has also been broken for a while there. Maybe we should drop it for future ubuntu releases, since upstream refuses to take it in.
1. https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/gssapi.patch
[ Original Description ]
The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as
===
@@ -104,7 +104,8 @@ struct Authctxt {
struct Authmethod {
char *name;
- int (*userauth)(struct ssh *);
+ char *synonym;
+ int (*userauth)(struct ssh *, const char *);
int *enabled;
};
===
The incorrect code does
===
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
===
but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex
This is now (change from Focal) causing gssapi-keyex to be disabled.
===
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
===
apt-cache policy openssh-server
openssh-server:
Installed: 1:8.9p1-3ubuntu0.6
Candidate: 1:8.9p1-3ubuntu0.6
Version table:
*** 1:8.9p1-3ubuntu0.6 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1:8.9p1-3 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages
=== |
|
2024-04-08 21:03:43 |
Andreas Hasenack |
tags |
server-todo verification-needed verification-needed-jammy verification-needed-mantic |
server-todo verification-done-jammy verification-needed verification-needed-mantic |
|
2024-04-08 21:05:10 |
Andreas Hasenack |
tags |
server-todo verification-done-jammy verification-needed verification-needed-mantic |
server-todo verification-done-jammy verification-done-mantic verification-needed |
|
2024-04-17 11:03:37 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2024-04-17 11:03:37 |
Launchpad Janitor |
openssh (Ubuntu Mantic): status |
Fix Committed |
Fix Released |
|
2024-04-17 11:03:49 |
Launchpad Janitor |
openssh (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|