Package: tinyssh
Version: 20230101-1
Severity: minor
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu lunar ubuntu-patch
X-Debbugs-Cc: sl...@ubuntu.com
Hello Jan,
This package has been failing in Ubuntu for at least a year, skipping many new
(upstream) versions in -proposed. Its -proposed version broke many systemd
autopkgtest (and probably others), leading to unnecessary test runs to validate
those failures with tinyssh from -release.
Ubuntu's PAM configuration sets the user-session default umask to 0002 (instead
of the traditional 0022), as defined in "/etc/login.defs" via USERGROUPS_ENAB
(see /etc/pam.d/common-session*). Therefore, the autopkgtest (re-)creates
~/.ssh/authorized_keys with group-write permissions, which makes tinysshd reject
connections.
The issue does not directly affect Debian currently (due to using a 0022
default umask), but it could in the future, should Debian switch to using
the pam_umask.so module as done in Ubuntu (see [1] for reference).
IMHO the test should create the authorized_key file with correct permissions
in all cases, to make it work in any context, but feel free to reject this
patch if you feel like it doesn't apply.
In Ubuntu, the attached patch was applied to achieve the following:
* d/tests: Create ~/.ssh/authorized_keys with proper umask (LP: #2016597)
Thanks for considering the patch.
-- Lukas
[1] https://bugs.launchpad.net/ubuntu/+source/pam/+bug/253096
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy-updates
APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'),
(100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.19.0-38-generic (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru tinyssh-20230101/debian/tests/05authorizedkeys
tinyssh-20230101/debian/tests/05authorizedkeys
--- tinyssh-20230101/debian/tests/05authorizedkeys 2023-01-01
09:33:58.000000000 +0100
+++ tinyssh-20230101/debian/tests/05authorizedkeys 2023-04-17
15:09:51.000000000 +0200
@@ -51,6 +54,9 @@
KEY=`cut -d ' ' -f2 < ~/.ssh/id_ed25519.pub`
REST=`cut -d ' ' -f3- < ~/.ssh/id_ed25519.pub`
+# Create ~/.ssh/authorized_keys with proper permissions/umask (LP: #2016597)
+UMASK=$(umask)
+umask 22
# now create malformed lines in authorization_keys
# login MUST FAIL
(
@@ -85,6 +91,7 @@
# now add correct line to authorized_keys
echo "${KEYTYPE} ${KEY}" >> ~/.ssh/authorized_keys
+umask $UMASK # restore original umask
ssh -p 10000 127.0.0.1 'exit 0'
exitcode=$?
