Package: pam-ssh-agent-auth
Severity: minor
Tags: patch
User: [email protected]
Usertags: origin-ubuntu jammy ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* debian/patches/fingerprint_sha256.patch: Use SHA256 with base64
encoding for key fingerprints. MD5 fingerprints are deprecated,
OpenSSH has switched to SHA256 since OpenSSH 6.8.
This will make the fingerprints compatible with ssh-keygen -l and allow
the package to work in FIPS mode. (LP: #1964486)
Thanks for considering the patch.
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy
APT policy: (1001, 'jammy')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-23-generic (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch
pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch
--- pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch
1970-01-01 01:00:00.000000000 +0100
+++ pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch
2022-03-17 15:31:12.000000000 +0100
@@ -0,0 +1,116 @@
+Description: Switch key fingerprint hash algorithm from MD5 to SHA256.
+ Use the newer base64 encoding format introduced in OpenSSH 6.8 to produce
+ fingerprints compatible with ssh-keygen -l.
+Forwarded: yes
+Bug: https://github.com/jbeverly/pam_ssh_agent_auth/pull/37
+Bug-Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486
+Author: Tobias Heider <[email protected]>
+
+Index: pam-ssh-agent-auth-0.10.3/key.c
+===================================================================
+--- pam-ssh-agent-auth-0.10.3.orig/key.c
++++ pam-ssh-agent-auth-0.10.3/key.c
+@@ -281,11 +281,8 @@ pamsshagentauth_key_fingerprint_raw(cons
+ *dgst_raw_length = 0;
+
+ switch (dgst_type) {
+- case SSH_FP_MD5:
+- md = EVP_md5();
+- break;
+- case SSH_FP_SHA1:
+- md = EVP_sha1();
++ case SSH_FP_SHA256:
++ md = EVP_sha256();
+ break;
+ default:
+ pamsshagentauth_fatal("key_fingerprint_raw: bad digest type %d",
+@@ -338,6 +335,31 @@ pamsshagentauth_key_fingerprint_raw(cons
+ }
+
+ static char *
++key_fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
++{
++ char *ret;
++ size_t plen = strlen(alg) + 1;
++ size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
++ int r;
++
++ if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
++ return NULL;
++ pamsshagentauth_strlcpy(ret, alg, rlen);
++ pamsshagentauth_strlcat(ret, ":", rlen);
++ if (dgst_raw_len == 0)
++ return ret;
++ if ((r = pamsshagentauth___b64_ntop(dgst_raw, dgst_raw_len,
++ ret + plen, rlen - plen)) == -1) {
++ explicit_bzero(ret, rlen);
++ free(ret);
++ return NULL;
++ }
++ /* Trim padding characters from end */
++ ret[strcspn(ret, "=")] = '\0';
++ return ret;
++}
++
++static char *
+ key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
+ {
+ char *retval;
+@@ -405,6 +427,7 @@ key_fingerprint_bubblebabble(u_char *dgs
+ char *
+ pamsshagentauth_key_fingerprint(const Key *k, enum fp_type dgst_type, enum
fp_rep dgst_rep)
+ {
++ const char *dgst_name;
+ char *retval = NULL;
+ u_char *dgst_raw;
+ u_int dgst_raw_len;
+@@ -416,6 +439,16 @@ pamsshagentauth_key_fingerprint(const Ke
+ case SSH_FP_HEX:
+ retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
+ break;
++ case SSH_FP_BASE64:
++ switch (dgst_type) {
++ case SSH_FP_SHA256:
++ dgst_name = "SHA256";
++ break;
++ default:
++ goto done;
++ }
++ retval = key_fingerprint_b64(dgst_name, dgst_raw, dgst_raw_len);
++ break;
+ case SSH_FP_BUBBLEBABBLE:
+ retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
+ break;
+@@ -424,6 +457,7 @@ pamsshagentauth_key_fingerprint(const Ke
+ dgst_rep);
+ break;
+ }
++ done:
+ memset(dgst_raw, 0, dgst_raw_len);
+ pamsshagentauth_xfree(dgst_raw);
+ return retval;
+Index: pam-ssh-agent-auth-0.10.3/pam_user_key_allowed2.c
+===================================================================
+--- pam-ssh-agent-auth-0.10.3.orig/pam_user_key_allowed2.c
++++ pam-ssh-agent-auth-0.10.3/pam_user_key_allowed2.c
+@@ -102,7 +102,7 @@ pamsshagentauth_check_authkeys_file(FILE
+ found_key = 1;
+ pamsshagentauth_logit("matching key found: file/command %s, line
%lu", file,
+ linenum);
+- fp = pamsshagentauth_key_fingerprint(found, SSH_FP_MD5,
SSH_FP_HEX);
++ fp = pamsshagentauth_key_fingerprint(found, SSH_FP_SHA256,
SSH_FP_BASE64);
+ pamsshagentauth_logit("Found matching %s key: %s",
+ pamsshagentauth_key_type(found), fp);
+ pamsshagentauth_xfree(fp);
+Index: pam-ssh-agent-auth-0.10.3/key.h
+===================================================================
+--- pam-ssh-agent-auth-0.10.3.orig/key.h
++++ pam-ssh-agent-auth-0.10.3/key.h
+@@ -50,6 +50,7 @@ enum fp_type {
+ };
+ enum fp_rep {
+ SSH_FP_HEX,
++ SSH_FP_BASE64,
+ SSH_FP_BUBBLEBABBLE
+ };
+
diff -Nru pam-ssh-agent-auth-0.10.3/debian/patches/series
pam-ssh-agent-auth-0.10.3/debian/patches/series
--- pam-ssh-agent-auth-0.10.3/debian/patches/series 2020-04-10
18:48:24.000000000 +0200
+++ pam-ssh-agent-auth-0.10.3/debian/patches/series 2022-03-17
15:31:12.000000000 +0100
@@ -2,3 +2,4 @@
openssl-1.1.1-1.patch
openssl-1.1.1-2.patch
lp1869512.patch
+fingerprint_sha256.patch