Package: tinyssh Version: 20230101-1 Severity: minor Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu lunar ubuntu-patch X-Debbugs-Cc: sl...@ubuntu.com
Hello Jan, This package has been failing in Ubuntu for at least a year, skipping many new (upstream) versions in -proposed. Its -proposed version broke many systemd autopkgtest (and probably others), leading to unnecessary test runs to validate those failures with tinyssh from -release. Ubuntu's PAM configuration sets the user-session default umask to 0002 (instead of the traditional 0022), as defined in "/etc/login.defs" via USERGROUPS_ENAB (see /etc/pam.d/common-session*). Therefore, the autopkgtest (re-)creates ~/.ssh/authorized_keys with group-write permissions, which makes tinysshd reject connections. The issue does not directly affect Debian currently (due to using a 0022 default umask), but it could in the future, should Debian switch to using the pam_umask.so module as done in Ubuntu (see [1] for reference). IMHO the test should create the authorized_key file with correct permissions in all cases, to make it work in any context, but feel free to reject this patch if you feel like it doesn't apply. In Ubuntu, the attached patch was applied to achieve the following: * d/tests: Create ~/.ssh/authorized_keys with proper umask (LP: #2016597) Thanks for considering the patch. -- Lukas [1] https://bugs.launchpad.net/ubuntu/+source/pam/+bug/253096 -- System Information: Debian Release: bookworm/sid APT prefers jammy-updates APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.19.0-38-generic (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru tinyssh-20230101/debian/tests/05authorizedkeys tinyssh-20230101/debian/tests/05authorizedkeys --- tinyssh-20230101/debian/tests/05authorizedkeys 2023-01-01 09:33:58.000000000 +0100 +++ tinyssh-20230101/debian/tests/05authorizedkeys 2023-04-17 15:09:51.000000000 +0200 @@ -51,6 +54,9 @@ KEY=`cut -d ' ' -f2 < ~/.ssh/id_ed25519.pub` REST=`cut -d ' ' -f3- < ~/.ssh/id_ed25519.pub` +# Create ~/.ssh/authorized_keys with proper permissions/umask (LP: #2016597) +UMASK=$(umask) +umask 22 # now create malformed lines in authorization_keys # login MUST FAIL ( @@ -85,6 +91,7 @@ # now add correct line to authorized_keys echo "${KEYTYPE} ${KEY}" >> ~/.ssh/authorized_keys +umask $UMASK # restore original umask ssh -p 10000 127.0.0.1 'exit 0' exitcode=$?