[Bug 1964486] Re: crash when in FIPS mode
This bug was fixed in the package pam-ssh-agent-auth - 0.10.3-3ubuntu1.20.04.1 --- pam-ssh-agent-auth (0.10.3-3ubuntu1.20.04.1) focal; urgency=medium * debian/patches/fingerprint_sha256.patch: Use SHA256 with base64 encoding for key fingerprints. MD5 fingerprints are deprecated, OpenSSH has switched to SHA256 since OpenSSH 6.8. This will make the fingerprints compatible with ssh-keygen -l and allow the package to work in FIPS mode. (LP: #1964486) -- Tobias Heider Thu, 17 Mar 2022 15:31:12 +0100 ** Changed in: pam-ssh-agent-auth (Ubuntu Focal) Status: Fix Committed => Fix Released ** Changed in: pam-ssh-agent-auth (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
This bug was fixed in the package pam-ssh-agent-auth - 0.10.3-1ubuntu0.1 --- pam-ssh-agent-auth (0.10.3-1ubuntu0.1) bionic; urgency=medium * debian/patches/fingerprint_sha256.patch: Use SHA256 with base64 encoding for key fingerprints. MD5 fingerprints are deprecated, OpenSSH has switched to SHA256 since OpenSSH 6.8. This will make the fingerprints compatible with ssh-keygen -l and allow the package to work in FIPS mode. (LP: #1964486) -- Tobias Heider Mon, 21 Mar 2022 11:07:10 +0100 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
This bug was fixed in the package pam-ssh-agent-auth - 0.10.3-3ubuntu1.21.10.1 --- pam-ssh-agent-auth (0.10.3-3ubuntu1.21.10.1) impish; urgency=medium * debian/patches/fingerprint_sha256.patch: Use SHA256 with base64 encoding for key fingerprints. MD5 fingerprints are deprecated, OpenSSH has switched to SHA256 since OpenSSH 6.8. This will make the fingerprints compatible with ssh-keygen -l and allow the package to work in FIPS mode. (LP: #1964486) -- Tobias Heider Thu, 17 Mar 2022 15:31:12 +0100 ** Changed in: pam-ssh-agent-auth (Ubuntu Impish) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
I have tested all three packages and they seem to work as intended. The updated packages also log the correct ssh fingerprint. Below is the log output of all versions as well as ssh-keygen -l for comparison. bionic with version 0.10.3-1ubuntu0.1 sec-bionic-amd64 sudo[11266]: pam_ssh_agent_auth: Found matching RSA key: SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0 focal with version 0.10.3-3ubuntu1.20.04.1: sec-focal-pam-amd64 sudo[3692]: pam_ssh_agent_auth: Found matching RSA key: SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0 impish version 0.10.3-3ubuntu1.21.10.1: sec-impish-amd64 sudo[3214]: pam_ssh_agent_auth: Found matching RSA key: SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0 ssh-keygen for comparsion: user@kischte:~$ ssh-keygen -lf .ssh/id_rsa 4096 SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0 user@kischte (RSA) I also tested with fips enabled to make sure it no longer segfaults. On focal with libpam-ssh-agent-auth=0.10.3-3ubuntu1 i got: user@sec-focal-pam-amd64:~$ sudo ls Segmentation fault (core dumped) focal with libpam-ssh-agent-auth=0.10.3-3ubuntu1.20.04.1 fixes the segfault: user@sec-focal-pam-amd64:~$ sudo ls test ** Tags removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-impish ** Tags added: verification-done verification-done-bionic verification-done-focal verification-done-impish -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
Hello Dan, or anyone else affected, Accepted pam-ssh-agent-auth into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pam-ssh- agent-auth/0.10.3-3ubuntu1.20.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: pam-ssh-agent-auth (Ubuntu Focal) Status: In Progress => Fix Committed ** Tags added: verification-needed-focal ** Changed in: pam-ssh-agent-auth (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
Hello Dan, or anyone else affected, Accepted pam-ssh-agent-auth into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pam-ssh- agent-auth/0.10.3-3ubuntu1.21.10.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-impish. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: pam-ssh-agent-auth (Ubuntu Impish) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-impish -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
ACK on the debdiff in comment #18, except for the unexpected change to 0001-authfd.c-check-return-value-of-seteuid-2.patch. Package uploaded for processing by the SRU team. Thanks! ** Changed in: pam-ssh-agent-auth (Ubuntu Bionic) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
one more for bionic ** Patch added: "pam-ssh-agent-auth_0.10.3-1ubuntu0.1.debdiff" https://bugs.launchpad.net/ubuntu/bionic/+source/pam-ssh-agent-auth/+bug/1964486/+attachment/5571259/+files/pam-ssh-agent-auth_0.10.3-1ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
ACK on the debdiffs in #15 and #16, they look reasonable. Uploaded for processing by the SRU team. Thanks! ** Changed in: pam-ssh-agent-auth (Ubuntu Focal) Status: Confirmed => In Progress ** Changed in: pam-ssh-agent-auth (Ubuntu Impish) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
** Description changed:
[impact]
when in FIPS mode, MD5 is not allowed; however in
pamsshagentauth_check_authkeys_file(), if a key match is found for a key
is found, its MD5 fingerprint is generated in order to log the
fingerprint. Unfortunately that calls into
pamsshagentauth_key_fingerprint_raw() which uses openssl EVP_* functions
for the fingerprint creation, but without any kind of error checking.
The call to EVP_DigestInit() fails because openssl is in FIPS mode and
disallows MD5, but the result isn't checked, and the following call to
EVP_DigestUpdate() results in openssl attempting to call ctx->update(),
although ctx->update is null.
+ In addition, OpenSSH has defaulted to SHA256 fingerprints by default
+ since 6.8, which is before xenial came out. This makes it more difficult
+ to compare fingerprints listed as MD5 in log files with fingerprints
+ printed as SHA256 by OpenSSH. The upstream pam-ssh-auth-agent codebase
+ is poorly maintained and has not kept up with OpenSSH changes.
+
[test case]
set up a system in FIPS mode with FIPS openssl, install pam-ssh-agent-auth
and configure per:
https://blog.heinzl.dev/use-public-key-to-prevent-sudo-passwor
Then ssh to the system, making sure to use -A to pass the local ssh-
agent along, and also ssh to an account that does not have NOPASSWD sudo
enabled. Then run 'sudo -i', which will segfault.
+ In the log file, an MD5 fingerprint that would show up like so:
+
+ pam_ssh_agent_auth: Found matching RSA key:
+
c9:20:ff:09:15:7b:a2:e6:59:e3:a7:4a:60:0c:4f:61:1a:60:07:c9:d2:98:76:7f:71:4f:2f:d2:fc:00:c1:7d
+
+ would not show up like so:
+
+ pam_ssh_agent_auth: Found matching RSA key:
+ SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0
+
+ and would match the output of ssh-keygen -lf ~/.ssh/id_rsa.pub
+
[regression potential]
- TBD
+ The fingerprint is only used when logging, so there is no impact on
+ functionality. If the patch is broken, pam authentication would fail, or
+ the message logged would be incorrect.
[scope]
the use of MD5 fingerprint is still in upstream code, so this may need
to be fixed there and in all releases. alternately, a FIPS-compliant
package could be created.
[other info]
the openssl FIPS addition that causes this is:
- #ifdef OPENSSL_FIPS
- if (FIPS_mode()) {
- if (!(type->flags & EVP_MD_FLAG_FIPS)
- && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
- EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
- return 0;
- }
- }
- #endif
+ #ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ if (!(type->flags & EVP_MD_FLAG_FIPS)
+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+ }
+ #endif
so pam-ssh-agent-auth could set either flag to force openssl to allow
this use of MD5; however the pam-ssh-agent-auth code that calls into
openssl doesn't know what the md5 is going to be used for, so it may be
more complex, and probably is much simpler just to stop using MD5 for
the logged fingerprint.
** Description changed:
[impact]
when in FIPS mode, MD5 is not allowed; however in
pamsshagentauth_check_authkeys_file(), if a key match is found for a key
is found, its MD5 fingerprint is generated in order to log the
fingerprint. Unfortunately that calls into
[Bug 1964486] Re: crash when in FIPS mode
** Patch added: "pam-ssh-agent-auth_0.10.3-3ubuntu1.21.10.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+attachment/5570440/+files/pam-ssh-agent-auth_0.10.3-3ubuntu1.21.10.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
Here is a new debdiff for focal with improvements proposed by @mdeslaur ** Patch added: "pam-ssh-agent-auth_0.10.3-3ubuntu1.20.04.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+attachment/5570439/+files/pam-ssh-agent-auth_0.10.3-3ubuntu1.20.04.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
hey @ddstreet the security certs team would prefer a fix via SRU rather than the FIPS PPA as the changes present a general improvement by getting rid of the deprecated MD5 fingerprints and making them compatible with what `ssk-keygen -l` outputs -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
I ported and tested the fix for impish and focal, see attached debdiff. ** Patch added: "Fix for impish and focal" https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+attachment/5570087/+files/pam-ssh-agent-auth_0.10.3-3ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
> We should file a bug there with the patch. > > In addition, it looks like OpenSSH uses a "SHA256:" prefix and base64 > encodes the fingerprint. We should probably update the patch to do the > same. I updated the patch to also change the encoding and filed an upstream PR at https://github.com/jbeverly/pam_ssh_agent_auth/pull/37/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
** Changed in: pam-ssh-agent-auth (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
Fixed in jammy with https://launchpad.net/ubuntu/+source/pam-ssh-agent-auth/0.10.3-3.1ubuntu1 As not using md5 is an improvement for everyone (ssh defaults to sha256 fingerprints since at least bionic) we think getting the fix in via SRU makes more sense than a FIPS-specific package. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
** Changed in: pam-ssh-agent-auth (Ubuntu Jammy) Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
This appears to be the new repo from which 0.10.3 was obtained: https://github.com/jbeverly/pam_ssh_agent_auth We should file a bug there with the patch. In addition, it looks like OpenSSH uses a "SHA256:" prefix and base64 encodes the fingerprint. We should probably update the patch to do the same. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
Oh, actually it looks like upstream development moved somewhere else, and is no longer the repo on the sourceforge page. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
Upstream is dead. And while we could send this to Debian, I doubt they would care about an issue that is only important when FIPS is enabled. As for sha256 vs MD5, OpenSSH switched fingerprints to sha256 in 2014. So while we could attempt to see if FIPS mode is enabled before using MD5, the best solution is to simply switch to what OpenSSH has been using for the past 8 years. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
> Default to SHA256 for key fingerprints. Typically changes should go upstream first, and it doesn't seem this was patched upstream yet or even an issue opened? And not patched in Debian yet either? > MD5 is long deprecated, OpenSSH has switched to SHA256. is this accurate even for key fingerprints used only in log messages? i didn't think that the hash function really mattered from a security perspective if used only for key fingerprints (this is a hash of the *public* key, right?), and md5 fingerprints seem fairly common still? Shouldn't this change at least be proposed upstream before making this change in ubuntu? Making this change only for FIPS would be one thing, but unilaterally changing this for all users might not be appropriate? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
This bug was fixed in the package pam-ssh-agent-auth - 0.10.3-3.1ubuntu1 --- pam-ssh-agent-auth (0.10.3-3.1ubuntu1) jammy; urgency=medium * debian/patches/fingerprint_sha256.patch: Default to SHA256 for key fingerprints. MD5 is long deprecated, OpenSSH has switched to SHA256. This will also allow the package to work in FIPS mode: (LP: #1964486) -- Tobias Heider Tue, 15 Mar 2022 15:23:23 +0100 ** Changed in: pam-ssh-agent-auth (Ubuntu Jammy) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: pam-ssh-agent-auth (Ubuntu Impish) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: pam-ssh-agent-auth (Ubuntu Focal) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: pam-ssh-agent-auth (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: pam-ssh-agent-auth (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964486] Re: crash when in FIPS mode
@ubuntu-security team, as this only affects FIPS, could you take a look at this and determine if you should create a FIPS-specific version of this package? ** Also affects: pam-ssh-agent-auth (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: pam-ssh-agent-auth (Ubuntu Impish) Importance: Undecided Status: New ** Also affects: pam-ssh-agent-auth (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: pam-ssh-agent-auth (Ubuntu Focal) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
