Hey everyone, I can confirm the fix has been tested by our friends at Google (Anthos) for Focal 20.04, using the same patch used in 1:8.2p1-4ubuntu0.4 but *not* by using the package from focal-proposed itself. Hopefully this still suffices? Please let me know if not and I'll re-run the verification again using an instance pulling from focal-proposed.
[RATIONALE] Need SSH to authenticate a ``HostCertificate`` and an SSH agent that holds the corresponding host private key. The sshd_config has the following directives: -- HostCertificate the public host certificate whose public key matches the private key stored in the ssh agent -- HostKey the public key of the host keypair -- HostKeyAgent the socket of the ssh agent that holds the host private key Before the patch, this combination didn't work - even though it authenticated successfully the setup behaved as if ``HostCertificate`` was never configured (i.e. it authenticated using only the public key and the private key in the ssh agent). [VERIFICATION OF FIX] ```` sh-agent -a /path/agent-socket SSH_AUTH_SOCK=/path/agent-socket ssh-add -k /path/hostkey ```` Then ran ``sshd`` with: ```` HostCertificate /path/hostkey-cert.pub HostKey /path/hostkey.pub HostKeyAgent /path/agent-socket ```` Then configured the CA trust anchor on the client's side. (localhost was used, but it would be the same if a second host is used as a client) ```` ssh -vv localhost ```` shows the host certificate was seen and used. ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1952421 Title: Issue on sshd finds correct private key for a certificate when using ssh-agent Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Focal: Fix Committed Status in openssh source package in Hirsute: Fix Committed Status in openssh source package in Impish: Fix Committed Bug description: Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream [Impact] * HostCertificate and HostKeyAgent are not working together in sshd due to a mismatched certificate's public key and private key. The function ` `sshkey_equal_public()`` incorrectly compares the certificate's public key with a private key, never finding a match. The impact is that sshd cannot use said certificate *even though* its private key is indeed in ssh-agent. * What it should do is compare the certificate's public key with a public key in `sensitive_data`. * Having this SRU-ed is a direct ask from one of the major cloud partners. They are currently using a customised version of the package to work around this issue, and we would like them to use a package directly from our own archive. * Looping through sensitive_data.host_pubkeys[j] *instead* of sensitive_data.host_keys[j] fixes the issue [https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936] /* Find matching private key */ for (j = 0; j < options.num_host_key_files; j++) { if (sshkey_equal_public(key, sensitive_data.host_keys[j])) { sensitive_data.host_certificates[j] = key; break; } } vs. /* Find matching private key */ for (j = 0; j < options.num_host_key_files; j++) { if (sshkey_equal_public(key, sensitive_data.host_pubkeys[j])) { sensitive_data.host_certificates[j] = key; break; } } [Test Plan] * Due to the empirical nature of this bug, the test is quite straight forward. *Without* the fix, one cannot use certificates to authenticate successfully (e.g. ``sshd -c /path/to/certificate.pem``) whereas with the fix (assuming the certificate matches a host key) you can create a channel. [Where problems could occur] * This has already been fixed both upstream and in Jammy without issue. However, if a regression where to happen it would probably be in one of two ways: * A dependency/reverse-dependency issue stemming from the version bump that will happen if this fix is ported. We mitigate this risk by testing for these exact types of regression, and by selecting carefully what to label this new version. * Accidentally breaking a set up that was made to work around this bug in the first place. The risk of this is lower, as the most likely fix is the one being implemented here anyway. Though to mitigate this more we can describe exactly what is happening with the fix in the changelog. This affects every version of openssh back until Focal, at least. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
