Processed: Re: Bug#926613: openssh-server: Locked out of server after upgrading to buster.
Processing control commands: > reassign -1 release-notes Bug #926613 [openssh-server] openssh-server: Locked out of server after upgrading to buster. Bug reassigned from package 'openssh-server' to 'release-notes'. Ignoring request to alter found versions of bug #926613 to the same values previously set Ignoring request to alter fixed versions of bug #926613 to the same values previously set -- 926613: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926613 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#926613: openssh-server: Locked out of server after upgrading to buster.
Control: reassign -1 release-notes On Sun, Apr 07, 2019 at 08:36:11PM +, Sam Bull wrote: > Package: openssh-server > Severity: serious > Justification: Policy 8.2 Policy 8.2 is "Shared library support files", which seems to have nothing to do with this. > Due to a change in how some options are handled in sshd_config, upgrading to > buster can result in the user getting locked out of their system if the > config is not updated. > > Probably the most likely cause (and what occurred to me) is if the > PubkeyAcceptedKeyTypes includes ssh-rsa and the admin logs in with an RSA > key. After upgrading, the user will no longer be able to connect to the > server. > The solution for this case is to replace ssh-rsa with > rsa-sha2-256,rsa-sha2-512. > > At the very least this needs to be mentioned in the upgrade instructions in > the release notes for buster. This is already documented in openssh's NEWS.Debian file, presented before upgrade if you use apt-listchanges. It says: * sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). I don't think I consider it safe to try to mangle this automatically in people's sshd_config files in this case; the cure could easily be worse than the disease, and any time I try to do that sort of thing it generates a flurry of RC bug reports about configuration file modifications which are always really hard to get right in a policy-friendly way. Other than that, for people who don't see or don't fully read the NEWS.Debian file I already provided, the best I can do is reassign this to the release notes to lift some of these warnings up to there. Thanks, -- Colin Watson [cjwat...@debian.org]
Bug#926613: openssh-server: Locked out of server after upgrading to buster.
Package: openssh-server Severity: serious Justification: Policy 8.2 Dear Maintainer, Due to a change in how some options are handled in sshd_config, upgrading to buster can result in the user getting locked out of their system if the config is not updated. Probably the most likely cause (and what occurred to me) is if the PubkeyAcceptedKeyTypes includes ssh-rsa and the admin logs in with an RSA key. After upgrading, the user will no longer be able to connect to the server. The solution for this case is to replace ssh-rsa with rsa-sha2-256,rsa-sha2-512. At the very least this needs to be mentioned in the upgrade instructions in the release notes for buster. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.15.0-47-generic (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=C.UTF-8 (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=en_GB:en (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssh-server depends on: ii adduser3.118 ii debconf [debconf-2.0] 1.5.71 ii dpkg 1.19.6 ii libaudit1 1:2.8.4-2 ii libc6 2.28-8 ii libcom-err21.44.5-1 ii libgssapi-krb5-2 1.17-2 ii libkrb5-3 1.17-2 ii libpam-modules 1.3.1-5 ii libpam-runtime 1.3.1-5 ii libpam0g 1.3.1-5 ii libselinux12.8-1+b1 ii libssl1.1 1.1.1b-1 ii libsystemd0241-1 pn libwrap0 ii lsb-base 10.2019031300 ii openssh-client 1:7.9p1-9 pn openssh-sftp-server pn procps pn ucf ii zlib1g 1:1.2.11.dfsg-1 Versions of packages openssh-server recommends: ii libpam-systemd 241-1 pn ncurses-term ii xauth 1:1.0.10-1 Versions of packages openssh-server suggests: pn molly-guard pn monkeysphere pn rssh pn ssh-askpass pn ufw
