[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
This bug was fixed in the package openssh - 1:8.4p1-6ubuntu2.1
---
openssh (1:8.4p1-6ubuntu2.1) impish; urgency=medium
* d/p/match-host-certs-w-public-keys.patch: Add patch
to match host certificates agianst host public keys.
(LP: #1952421)
-- Utkarsh Gupta Fri, 26 Nov 2021 17:25:36 +0530
** Changed in: openssh (Ubuntu Impish)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
Fix Released
Status in openssh source package in Hirsute:
Fix Released
Status in openssh source package in Impish:
Fix Released
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
This bug was fixed in the package openssh - 1:8.4p1-5ubuntu1.2
---
openssh (1:8.4p1-5ubuntu1.2) hirsute; urgency=medium
* d/p/match-host-certs-w-public-keys.patch: Add patch
to match host certificates agianst host public keys.
(LP: #1952421)
-- Chloé S Wed, 01 Dec 2021 14:12:42 +
** Changed in: openssh (Ubuntu Hirsute)
Status: Fix Committed => Fix Released
** Changed in: openssh (Ubuntu Focal)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
Fix Released
Status in openssh source package in Hirsute:
Fix Released
Status in openssh source package in Impish:
Fix Released
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
This bug was fixed in the package openssh - 1:8.2p1-4ubuntu0.4
---
openssh (1:8.2p1-4ubuntu0.4) focal; urgency=medium
* d/p/match-host-certs-w-public-keys.patch: Add patch
to match host certificates agianst host public keys.
(LP: #1952421)
-- Chloé S Thu, 02 Dec 2021 22:38:52 +
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
Fix Released
Status in openssh source package in Hirsute:
Fix Released
Status in openssh source package in Impish:
Fix Released
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
Apologies, I changed the tags *after* posting all the comments just to
make it more confusing...
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
Fix Committed
Status in openssh source package in Hirsute:
Fix Committed
Status in openssh source package in Impish:
Fix Committed
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
Impish verification
[INSTALLED PKG VERSION]
kajiya@chloe-HAL:~$ apt-cache policy openssh-server
openssh-server:
Installed: 1:8.4p1-6ubuntu2.1
Candidate: 1:8.4p1-6ubuntu2.1
Version table:
*** 1:8.4p1-6ubuntu2.1 400
400 http://gb.archive.ubuntu.com/ubuntu impish-proposed/main amd64
Packages
400 http://archive.ubuntu.com/ubuntu impish-proposed/main amd64 Packages
100 /var/lib/dpkg/status
1:8.4p1-6ubuntu2 500
500 http://gb.archive.ubuntu.com/ubuntu impish/main amd64 Packages
[PROCEDURE]
Create the keys/certs needed
``ssh-keygen -t rsa -b 4096 -f host_ca -C host_ca`` (no passphrase)
``ssh-keygen -f ssh_host_rsa_key -N '' -b 4096 -t rsa``
``ssh-keygen -s host_ca -I localhost -h -n localhost -V +52w
ssh_host_rsa_key.pub``
Copied ssh_host_rsa_key* files over to /etc/ssh and added the following to
/etc/ssh/sshd_config
``HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub``
Restarted sshd using systemctl and added ``@cert-authority localhost
ssh-rsa abcdefg`` (ssh-rsa abcdefg is the contents of host_ca.pub) to
~/.ssh/known_hosts
Finally, running
ssh -vv kajiya@localhost 2>&1 | grep "Server host certificate" gives
debug1: Server host certificate: ssh-rsa-cert-...@openssh.com
SHA256:pprTqBvT2oazgTsfPF+RD47ca/W1U4JCgq5fl7m1LkA, serial 0 ID "localhost" CA
ssh-rsa SHA256:l3PYuQBJMLruGeASt+BKEDGLDlk5NHx59cwW6/Qgzs4 valid from
2022-01-05T22:11:00 to 2023-01-04T22:12:07
debug2: Server host certificate hostname: localhost
which tells us the certificate was seen and used
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
Fix Committed
Status in openssh source package in Hirsute:
Fix Committed
Status in openssh source package in Impish:
Fix Committed
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to :
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
Focal verification
[INSTALLED PKG VERSION]
chlo@BIG-HAL:~$ apt-cache policy openssh-server
openssh-server:
Installed: 1:8.2p1-4ubuntu0.4
Candidate: 1:8.2p1-4ubuntu0.4
Version table:
*** 1:8.2p1-4ubuntu0.4 400
400 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
100 /var/lib/dpkg/status
1:8.2p1-4ubuntu0.3 500
500 http://gb.archive.ubuntu.com/ubuntu focal-updates/main amd64
Packages
1:8.2p1-4ubuntu0.2 500
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
1:8.2p1-4 500
500 http://gb.archive.ubuntu.com/ubuntu focal/main amd64 Packages
[PROCEDURE]
Create the keys/certs needed
``ssh-keygen -t rsa -b 4096 -f host_ca -C host_ca`` (no passphrase)
``ssh-keygen -f ssh_host_rsa_key -N '' -b 4096 -t rsa``
``ssh-keygen -s host_ca -I localhost -h -n localhost -V +52w
ssh_host_rsa_key.pub``
Copied ssh_host_rsa_key* files over to /etc/ssh and added the following to
/etc/ssh/sshd_config
``HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub``
Restarted sshd using systemctl and added ``@cert-authority localhost
ssh-rsa abcdefg`` (ssh-rsa abcdefg is the contents of host_ca.pub) to
~/.ssh/known_hosts
Finally, running
ssh -vv chlo@localhost 2>&1 | grep "Server"
debug1: Server host certificate: ssh-rsa-cert-...@openssh.com
SHA256:s2gq1xBSdetCarwElgQd0NbjJbiE3iLDxFtJqDhBFF4, serial 0 ID "localhost" CA
ssh-rsa SHA256:v8ZgezKD9Zw/Ns8I0W6mfvxCAo9jv3WznUYAFhfPfCU valid from
2022-01-05T22:46:00 to 2023-01-04T22:47:11
debug2: Server host certificate hostname: localhost
which tells us the certificate was seen and used
** Tags removed: verification-needed-hirsute verification-needed-impish
** Tags added: verification-done-hirsute verification-done-impish
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
Fix Committed
Status in openssh source package in Hirsute:
Fix Committed
Status in openssh source package in Impish:
Fix Committed
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
Hirsute verification
[INSTALLED PKG VERSION]
kajiya@chloe-HAL:~/Documents/work$ apt-cache policy openssh-server
openssh-server:
Installed: 1:8.4p1-5ubuntu1.2
Candidate: 1:8.4p1-5ubuntu1.2
Version table:
*** 1:8.4p1-5ubuntu1.2 500
500 http://gb.archive.ubuntu.com/ubuntu hirsute-proposed/main amd64
Packages
500 http://archive.ubuntu.com/ubuntu hirsute-proposed/main amd64
Packages
100 /var/lib/dpkg/status
1:8.4p1-5ubuntu1.1 500
500 http://gb.archive.ubuntu.com/ubuntu hirsute-updates/main amd64
Packages
1:8.4p1-5ubuntu1 500
500 http://gb.archive.ubuntu.com/ubuntu hirsute/main amd64 Packages
[PROCEDURE]
Create the keys/certs needed
``ssh-keygen -t rsa -b 4096 -f host_ca -C host_ca`` (no passphrase)
``ssh-keygen -f ssh_host_rsa_key -N '' -b 4096 -t rsa``
``ssh-keygen -s host_ca -I localhost -h -n localhost -V +52w
ssh_host_rsa_key.pub``
Copied ssh_host_rsa_key* files over to /etc/ssh and added the following to
/etc/ssh/sshd_config
``HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub``
Restarted sshd using systemctl and added ``@cert-authority localhost
ssh-rsa abcdefg`` (ssh-rsa abcdefg is the contents of host_ca.pub) to
~/.ssh/known_hosts
Finally, running
``ssh -vv localhost 2>&1 | grep "Server host certificate"`` gives
ssh -vv kajiya@localhost 2>&1 | grep "Server host certificate"
debug1: Server host certificate: ssh-rsa-cert-...@openssh.com
SHA256:ufStWAPad1IQ08xMPM1iF4u4JHEaeAuQcD3qoe8yJ9A, serial 0 ID "localhost" CA
ssh-rsa SHA256:3iVQ6wcBeoRO3S12jO8K34Do8HbVTPxiBp3rNzCngGc valid from
2022-01-05T17:20:00 to 2023-01-04T17:21:17
debug2: Server host certificate hostname: localhost
which tells us the certificate was seen and used
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
Fix Committed
Status in openssh source package in Hirsute:
Fix Committed
Status in openssh source package in Impish:
Fix Committed
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
For SRU verification we require that the actual package from the
-proposed archive is tested. This is to avoid the chance that the patch
is mis-applied in the package uploaded to the archive, or that the
archive build environment differs in a way that affects the patch.
We'll also need this to be verified for Hirsute and Impish before we can
release it for Focal, to ensure that upgrades do not regress this bug.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
Fix Committed
Status in openssh source package in Hirsute:
Fix Committed
Status in openssh source package in Impish:
Fix Committed
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
Hey everyone,
I can confirm the fix has been tested by our friends at Google (Anthos) for
Focal 20.04, using the same patch used in 1:8.2p1-4ubuntu0.4 but *not* by using
the package from focal-proposed itself.
Hopefully this still suffices? Please let me know if not and I'll re-run the
verification again using an instance pulling from focal-proposed.
[RATIONALE]
Need SSH to authenticate a ``HostCertificate`` and an SSH agent that
holds the corresponding host private key.
The sshd_config has the following directives:
-- HostCertificate the public host certificate whose public key matches
the private key stored in the ssh agent
-- HostKey the public key of the host keypair
-- HostKeyAgent the socket of the ssh agent that holds the host private
key
Before the patch, this combination didn't work - even though it
authenticated successfully the setup behaved as if ``HostCertificate``
was never configured (i.e. it authenticated using only the public key
and the private key in the ssh agent).
[VERIFICATION OF FIX]
sh-agent -a /path/agent-socket
SSH_AUTH_SOCK=/path/agent-socket ssh-add -k /path/hostkey
Then ran ``sshd`` with:
HostCertificate /path/hostkey-cert.pub
HostKey /path/hostkey.pub
HostKeyAgent /path/agent-socket
Then configured the CA trust anchor on the client's side.
(localhost was used, but it would be the same if a second host is used as a
client)
ssh -vv localhost
shows the host certificate was seen and used.
** Tags removed: verification-needed-focal
** Tags added: verification-done-focal
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
Fix Committed
Status in openssh source package in Hirsute:
Fix Committed
Status in openssh source package in Impish:
Fix Committed
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list:
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
Hello,
All the 2 (for Focal) and 5 (for Hirsute) tests were re-triggered and
are passing now, so there's no real regression. We'll proceed with the
verification from our end shortly. TIA! \o/
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
Fix Committed
Status in openssh source package in Hirsute:
Fix Committed
Status in openssh source package in Impish:
Fix Committed
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
Hello Utkarsh, or anyone else affected,
Accepted openssh into hirsute-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/openssh/1:8.4p1-5ubuntu1.2 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
hirsute to verification-done-hirsute. If it does not fix the bug for
you, please add a comment stating that, and change the tag to
verification-failed-hirsute. In either case, without details of your
testing we will not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Changed in: openssh (Ubuntu Hirsute)
Status: New => Fix Committed
** Tags added: verification-needed-hirsute
** Changed in: openssh (Ubuntu Focal)
Status: New => Fix Committed
** Tags added: verification-needed-focal
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
Fix Committed
Status in openssh source package in Hirsute:
Fix Committed
Status in openssh source package in Impish:
Fix Committed
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to :
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
** Merge proposal linked:
https://code.launchpad.net/~kajiya/ubuntu/+source/openssh/+git/openssh/+merge/412723
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
New
Status in openssh source package in Hirsute:
New
Status in openssh source package in Impish:
Fix Committed
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
** Merge proposal linked:
https://code.launchpad.net/~kajiya/ubuntu/+source/openssh/+git/openssh/+merge/412663
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
New
Status in openssh source package in Hirsute:
New
Status in openssh source package in Impish:
Fix Committed
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
Hello Utkarsh, or anyone else affected,
Accepted openssh into impish-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openssh/1:8.4p1-6ubuntu2.1 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
impish to verification-done-impish. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-impish. In either case, without details of your testing we will
not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Changed in: openssh (Ubuntu Impish)
Status: New => Fix Committed
** Tags added: verification-needed verification-needed-impish
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
New
Status in openssh source package in Hirsute:
New
Status in openssh source package in Impish:
Fix Committed
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
** Changed in: openssh (Ubuntu Impish)
Assignee: (unassigned) => Utkarsh Gupta (utkarsh)
** Changed in: openssh (Ubuntu Hirsute)
Assignee: (unassigned) => Chloé Smith (kajiya)
** Changed in: openssh (Ubuntu Focal)
Assignee: (unassigned) => Chloé Smith (kajiya)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
New
Status in openssh source package in Hirsute:
New
Status in openssh source package in Impish:
New
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
** Description changed:
- Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream:
+ Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
- Please take a look at line 1936 in main() function in sshd.c.
+ [Impact]
+
+ * HostCertificate and HostKeyAgent are not working together in sshd due
+to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
+ key with a private key, never finding a match. The impact is that sshd
+ cannot use said certificate *even though* its private key is indeed in
+ ssh-agent.
+
+ * What it should do is compare the certificate's public key with a
+ public key in `sensitive_data`.
+
+ * Having this SRU-ed is a direct ask from one of the major cloud partners.
+ They are currently using a customised version of the package to work
+ around this issue, and we would like them to use a package directly from
+ our own archive.
+
+ * Looping through sensitive_data.host_pubkeys[j] *instead* of
+sensitive_data.host_keys[j] fixes the issue
+
+ [https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
- for (j = 0; j < options.num_host_key_files; j++) {
- if (sshkey_equal_public(key,
- sensitive_data.host_keys[j])) {
- sensitive_data.host_certificates[j] = key;
- break;
- }
- }
+ for (j = 0; j < options.num_host_key_files; j++) {
+ if (sshkey_equal_public(key,
+ sensitive_data.host_keys[j])) {
+ sensitive_data.host_certificates[j] = key;
+ break;
+ }
+ }
- the sshkey_equal_public() is trying to compare a cert's pub with a private
key, and it never find a match which makes sshd cannot use this certificate
even though its private key is in ssh-agent.
- I believe it should be comparing a cert's public key with a public key in
sensitive_data as follow.
+ vs.
/* Find matching private key */
- for (j = 0; j < options.num_host_key_files; j++) {
- if (sshkey_equal_public(key,
- sensitive_data.host_pubkeys[j])) {
- sensitive_data.host_certificates[j] = key;
- break;
- }
- }
+ for (j = 0; j < options.num_host_key_files; j++) {
+ if (sshkey_equal_public(key,
+ sensitive_data.host_pubkeys[j])) {
+ sensitive_data.host_certificates[j] = key;
+ break;
+ }
+ }
+
- https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936
+ [Test Plan]
- Due to this HostCertificate and HostKeyAgent not working together in
- sshd and this affects every version of openssh back till Focal, at
- least.
+ * Due to the empirical nature of this bug, the test is quite straight
+forward. *Without* the fix, one cannot use certificates to authenticate
+successfully (e.g. ``sshd -c /path/to/certificate.pem``)
+whereas with the fix (assuming the certificate matches a host key) you
+can create a channel.
+
+ [Where problems could occur]
+
+ * This has already been fixed both upstream and in Jammy without issue.
+However, if a regression where to happen it would probably be in one of
+two ways:
+
+ * A dependency/reverse-dependency issue stemming from the version
+bump that will happen if this fix is ported. We mitigate this risk
+by testing for these exact types of regression,
+and by selecting carefully what to label this new version.
+
+ * Accidentally breaking a set up that was made to work around this
+bug in the first place. The risk of this is lower, as the most
+likely fix is the one being implemented here anyway. Though
+to mitigate this more we can describe exactly what is happening
+with the fix in the changelog.
+
+
+ This affects every version of openssh back until Focal, at least.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
New
Status in openssh source package in Hirsute:
New
Status in openssh source package in Impish:
New
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
** Merge proposal linked:
https://code.launchpad.net/~utkarsh/ubuntu/+source/openssh/+git/openssh/+merge/412456
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
New
Status in openssh source package in Hirsute:
New
Status in openssh source package in Impish:
New
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254
upstream:
Please take a look at line 1936 in main() function in sshd.c.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
the sshkey_equal_public() is trying to compare a cert's pub with a private
key, and it never find a match which makes sshd cannot use this certificate
even though its private key is in ssh-agent.
I believe it should be comparing a cert's public key with a public key in
sensitive_data as follow.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936
Due to this HostCertificate and HostKeyAgent not working together in
sshd and this affects every version of openssh back till Focal, at
least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent
** Also affects: openssh (Ubuntu Impish)
Importance: Undecided
Status: New
** Also affects: openssh (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: openssh (Ubuntu Hirsute)
Importance: Undecided
Status: New
** Changed in: openssh (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
New
Status in openssh source package in Hirsute:
New
Status in openssh source package in Impish:
New
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254
upstream:
Please take a look at line 1936 in main() function in sshd.c.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
the sshkey_equal_public() is trying to compare a cert's pub with a private
key, and it never find a match which makes sshd cannot use this certificate
even though its private key is in ssh-agent.
I believe it should be comparing a cert's public key with a public key in
sensitive_data as follow.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936
Due to this HostCertificate and HostKeyAgent not working together in
sshd and this affects every version of openssh back till Focal, at
least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
