This bug was fixed in the package openssh - 1:8.9p1-3ubuntu0.7
---
openssh (1:8.9p1-3ubuntu0.7) jammy; urgency=medium
* d/p/gssapi.patch: fix method_gsskeyex structure and
userauth_gsskeyex function regarding changes introduced in upstream
commit
This bug was fixed in the package openssh - 1:9.3p1-1ubuntu3.3
---
openssh (1:9.3p1-1ubuntu3.3) mantic; urgency=medium
* d/p/gssapi.patch: fix method_gsskeyex structure and
userauth_gsskeyex function regarding changes introduced in upstream
commit
It's not clear to me if a simple "ssh -Snone localhost" is covered by
the autopkgtests, so I did that manually, testing without -proposed
first, and ensuring to run "sudo systemctl restart ssh" after upgrading
to -proposed to ensure that I'm definitely hitting the daemon from
-proposed.
Success
Mantic verification
In all architectures, except i386, the new test passed.
Here is a log from the amd64 run[1]:
4333s autopkgtest [16:47:27]: test ssh-gssapi: [---
4333s ## Setting up test environment
4333s ## Creating Kerberos realm EXAMPLE.FAKE
4333s Initializing database
Jammy verification
In all architectures (except i386, which is a known failure everywhere)
the new ssh-gssapi test passed.
Here is the run on amd64[1]:
3438s autopkgtest [16:33:21]: test ssh-gssapi: [---
3438s ## Setting up test environment
3438s ## Creating Kerberos realm
** Description changed:
[ Impact ]
The gssapi-keyex authentication mechanism has been inadvertently broken
in openssh. It comes from a distro patch[1], and while the patch still
applied, it was no longer correct.
Without the fix, sshd will fail to start if gssapi-keyex is listed
openssh-server_8.9p1-3ubuntu0.7_amd64.deb does fix the gssapi-keyex
problem for us on jammy
Syslog output is as expected
===
2024-04-08T08:09:53.608275+02:00 somehost sshd[169530]: Authorized to root,
krb5 principal xxx/r...@our.do.main (krb5_kuserok)
2024-04-08T08:09:53.619114+02:00 somehost
Hello ake, or anyone else affected,
Accepted openssh into mantic-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.3 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
This bug was fixed in the package openssh - 1:9.6p1-3ubuntu11
---
openssh (1:9.6p1-3ubuntu11) noble; urgency=medium
* d/t/ssh-gssapi: make the test a bit more rebust (LP: #2058276):
- deal with return codes
- match a more specific success expression from the logs
- add
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462552
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462553
--
You received this bug notification because you are a
** Changed in: openssh (Ubuntu Noble)
Importance: Critical => High
** Changed in: openssh (Ubuntu Mantic)
Importance: Undecided => High
** Changed in: openssh (Ubuntu Jammy)
Importance: Undecided => High
** Changed in: openssh (Ubuntu Jammy)
Assignee: (unassigned) => Andreas
** Description changed:
[ Impact ]
- * An explanation of the effects of the bug on users and
+ The gssapi-keyex authentication mechanism has been inadvertently broken
+ in openssh. It comes from a distro patch[1], and while the patch still
+ applied, it was no longer correct.
- *
** Description changed:
- The Authmethod struct now have 4 entries but the initialization of the
- method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries.
+ [ Impact ]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/openssh/+git/openssh/+merge/462514
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2053146
I think you missed the extra arg to userauth_gsskeyex()
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss patch for
I fixed this in Debian today in https://salsa.debian.org/ssh-
team/openssh/-/commit/0947dd466d64cabfb527d8326e2507f473373a32, uploaded
as part of 1:9.7p1-1. You could possibly just merge 1:9.7p1-1 into
noble since it's mostly a bug-fix release, but failing that you could
cherry-pick the relevant
I have an autopkgtest for gssapi, adding one now for keyex.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss patch for
Quick test with
https://launchpad.net/~ahasenack/+archive/ubuntu/openssh-
gsskeyex-2053146/+packages on jammy (but there are builds for other
releases too), seems to work:
Mar 13 20:52:58 j-keyex sshd[1638]: Authorized to ubuntu, krb5 principal
andreas@LOWTECH (krb5_kuserok)
Mar 13 20:52:58
Prepping builds, and I also want to add an autopkgtest for this.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss patch for
** Also affects: openssh (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: openssh (Ubuntu Noble)
Importance: Critical
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Also affects: openssh (Ubuntu Mantic)
Importance: Undecided
https://src.fedoraproject.org/rpms/openssh/c/c04e468b07b38471377fc7a648e1737021ea7148
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for
** Changed in: openssh (Ubuntu)
Status: Incomplete => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss
** Changed in: openssh (Ubuntu)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1
We have this in sshd_config
===
Match User root
GSSAPIAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication no
AuthenticationMethods gssapi-keyex gssapi-with-mic
===
Grab a kerberos root ticket and do ssh as root
I'm flagging this as Critical. It sounds like everyone agrees that the
distro patch we're carrying is bad. I think it's possible that it's bad
in quite a serious way, so we should investigate immediately without
delay until we've understood the severity of this, especially because by
carrying the
Thanks for the additional info Ake!
Do you happen to have simple steps you could share to help reproduce the
issue?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Verifying this should be fairly simple.
Look at the definition of Authmethod in auth.h and compare to how
method_gssapi is initialized compared to method_gsskeyex.
As for it being the only report it is only "AuthenticationMethods gssapi-keyex"
that is not working.
We have "AuthenticationMethods
Hello and thanks for this bug report. The analysis looks sensible to me,
but I'm not really familiar with gss. To better understand the situation
I have a couple of questions:
- Does this mean that gss is unusable in Jammy at the moment? AFAICT
this is the only bug report about it, so I would be
** Summary changed:
- openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex mathod is slightly
wrong
+ openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly
wrong
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is
29 matches
Mail list logo
