This bug was fixed in the package pam-ssh-agent-auth -
0.10.3-3ubuntu1.20.04.1
---
pam-ssh-agent-auth (0.10.3-3ubuntu1.20.04.1) focal; urgency=medium
* debian/patches/fingerprint_sha256.patch: Use SHA256 with base64
encoding for key fingerprints. MD5 fingerprints are
This bug was fixed in the package pam-ssh-agent-auth - 0.10.3-1ubuntu0.1
---
pam-ssh-agent-auth (0.10.3-1ubuntu0.1) bionic; urgency=medium
* debian/patches/fingerprint_sha256.patch: Use SHA256 with base64
encoding for key fingerprints. MD5 fingerprints are deprecated,
This bug was fixed in the package pam-ssh-agent-auth -
0.10.3-3ubuntu1.21.10.1
---
pam-ssh-agent-auth (0.10.3-3ubuntu1.21.10.1) impish; urgency=medium
* debian/patches/fingerprint_sha256.patch: Use SHA256 with base64
encoding for key fingerprints. MD5 fingerprints are
I have tested all three packages and they seem to work as intended. The
updated packages also log the correct ssh fingerprint. Below is the log
output of all versions as well as ssh-keygen -l for comparison.
bionic with version 0.10.3-1ubuntu0.1
sec-bionic-amd64 sudo[11266]: pam_ssh_agent_auth:
Hello Dan, or anyone else affected,
Accepted pam-ssh-agent-auth into focal-proposed. The package will build
now and be available at https://launchpad.net/ubuntu/+source/pam-ssh-
agent-auth/0.10.3-3ubuntu1.20.04.1 in a few hours, and then in the
-proposed repository.
Please help us by testing
Hello Dan, or anyone else affected,
Accepted pam-ssh-agent-auth into impish-proposed. The package will build
now and be available at https://launchpad.net/ubuntu/+source/pam-ssh-
agent-auth/0.10.3-3ubuntu1.21.10.1 in a few hours, and then in the
-proposed repository.
Please help us by testing
ACK on the debdiff in comment #18, except for the unexpected change to
0001-authfd.c-check-return-value-of-seteuid-2.patch. Package uploaded
for processing by the SRU team. Thanks!
** Changed in: pam-ssh-agent-auth (Ubuntu Bionic)
Status: Confirmed => In Progress
--
You received this bug
one more for bionic
** Patch added: "pam-ssh-agent-auth_0.10.3-1ubuntu0.1.debdiff"
https://bugs.launchpad.net/ubuntu/bionic/+source/pam-ssh-agent-auth/+bug/1964486/+attachment/5571259/+files/pam-ssh-agent-auth_0.10.3-1ubuntu0.1.debdiff
--
You received this bug notification because you are a
ACK on the debdiffs in #15 and #16, they look reasonable. Uploaded for
processing by the SRU team. Thanks!
** Changed in: pam-ssh-agent-auth (Ubuntu Focal)
Status: Confirmed => In Progress
** Changed in: pam-ssh-agent-auth (Ubuntu Impish)
Status: Confirmed => In Progress
--
You
** Description changed:
[impact]
when in FIPS mode, MD5 is not allowed; however in
pamsshagentauth_check_authkeys_file(), if a key match is found for a key
is found, its MD5 fingerprint is generated in order to log the
fingerprint. Unfortunately that calls into
** Patch added: "pam-ssh-agent-auth_0.10.3-3ubuntu1.21.10.1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+attachment/5570440/+files/pam-ssh-agent-auth_0.10.3-3ubuntu1.21.10.1.debdiff
--
You received this bug notification because you are a member of
Here is a new debdiff for focal with improvements proposed by @mdeslaur
** Patch added: "pam-ssh-agent-auth_0.10.3-3ubuntu1.20.04.1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+attachment/5570439/+files/pam-ssh-agent-auth_0.10.3-3ubuntu1.20.04.1.debdiff
hey @ddstreet the security certs team would prefer a fix via SRU rather
than the FIPS PPA as the changes present a general improvement by
getting rid of the deprecated MD5 fingerprints and making them
compatible with what `ssk-keygen -l` outputs
--
You received this bug notification because you
I ported and tested the fix for impish and focal, see attached debdiff.
** Patch added: "Fix for impish and focal"
https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+attachment/5570087/+files/pam-ssh-agent-auth_0.10.3-3ubuntu2.debdiff
--
You received this bug
> We should file a bug there with the patch.
>
> In addition, it looks like OpenSSH uses a "SHA256:" prefix and base64
> encodes the fingerprint. We should probably update the patch to do the
> same.
I updated the patch to also change the encoding and filed an upstream PR at
** Changed in: pam-ssh-agent-auth (Ubuntu Jammy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1964486
Title:
crash when in FIPS mode
To manage
Fixed in jammy with
https://launchpad.net/ubuntu/+source/pam-ssh-agent-auth/0.10.3-3.1ubuntu1
As not using md5 is an improvement for everyone (ssh defaults to sha256
fingerprints since at least bionic) we think getting the fix in via SRU makes
more sense than a FIPS-specific package.
--
You
** Changed in: pam-ssh-agent-auth (Ubuntu Jammy)
Status: Fix Released => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1964486
Title:
crash when in FIPS mode
To manage
This appears to be the new repo from which 0.10.3 was obtained:
https://github.com/jbeverly/pam_ssh_agent_auth
We should file a bug there with the patch.
In addition, it looks like OpenSSH uses a "SHA256:" prefix and base64
encodes the fingerprint. We should probably update the patch to do the
Oh, actually it looks like upstream development moved somewhere else,
and is no longer the repo on the sourceforge page.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1964486
Title:
crash when in
Upstream is dead. And while we could send this to Debian, I doubt they
would care about an issue that is only important when FIPS is enabled.
As for sha256 vs MD5, OpenSSH switched fingerprints to sha256 in 2014.
So while we could attempt to see if FIPS mode is enabled before using
MD5, the best
> Default to SHA256 for key fingerprints.
Typically changes should go upstream first, and it doesn't seem this was
patched upstream yet or even an issue opened? And not patched in Debian
yet either?
> MD5 is long deprecated, OpenSSH has switched to SHA256.
is this accurate even for key
This bug was fixed in the package pam-ssh-agent-auth - 0.10.3-3.1ubuntu1
---
pam-ssh-agent-auth (0.10.3-3.1ubuntu1) jammy; urgency=medium
* debian/patches/fingerprint_sha256.patch: Default to SHA256 for key
fingerprints. MD5 is long deprecated, OpenSSH has switched to SHA256.
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: pam-ssh-agent-auth (Ubuntu Impish)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: pam-ssh-agent-auth (Ubuntu Focal)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: pam-ssh-agent-auth (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1964486
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: pam-ssh-agent-auth (Ubuntu Bionic)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
@ubuntu-security team, as this only affects FIPS, could you take a look
at this and determine if you should create a FIPS-specific version of
this package?
** Also affects: pam-ssh-agent-auth (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: pam-ssh-agent-auth (Ubuntu
28 matches
Mail list logo
