** Description changed: [Impact] The problem here is straightforward. The case is to fix manpages. They need to reflect a change done to the code some time ago. That problem might be annoying for users before being fixed. Backport upstream fix to Focal Origin: https://github.com/openssh/openssh-portable/commit/53ea05e09b04fd7b6dea66b42b34d65fe61b9636 [Test Plan] Make a container for testing: First option: - $ lxc launch images:ubuntu/focal focal-test + $ lxc launch ubuntu:focal focal-test $ lxc shell focal-test Simply install the openssh package using ‘apt install’ and check ssh_config and sshd_config. Acutal results: 1. Create a container using steps from above. 2. Type in man ssh_config and check that as well as the sshd_config. 3. You should spot the ssh-rsa entries in the manpage within the CASignatureAlgorithms section. Expected results: 1. Create a container using steps from above. 2. Type in man ssh_config and check that as well as the sshd_config. 3. You shouldn't spot the ssh-rsa entries in the manpage within the CASignatureAlgorithms section. [Where problems could occur] Any code change might change the behavior of the package in a specific situation and cause other errors. Next things which might cause regression are new dependencies which might not align and it is obvious the dependencies are upgraded and it might be a problem, but it is really unlikely. Even none of the rather generic cases above does apply here as we only change non-functional content in the form of the man page; Therefore the only risk is out of re-building the package which could pick up something from e.g. a changed toolchain. [Other Info] Fixing this is nice for the users, but OTOH very low severity and would cause a package download and update on almost every Ubuntu in the world. Therefore we will mark this as block-proposed and keep it in focal- proposed so that a later real update (security or functional) will pick this up from -proposed and then fix it in the field for real. ----------------------------original report------------------------------- The release of OpenSSH 8.2 has removed `ssh-rsa` from the default list of CACertificateAlgorithms. However the latest `openssh-client` still ships the man page for ssh_config(5) that contains the following description: CASignatureAlgorithms Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa ssh(1) will not accept host certificates signed using algorithms other than those specified. As far as I am concerned, `ssh-rsa` should be dropped from the list so as to match the behavior of ssh(1).
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1871465 Title: ssh_config(5) contains outdated information Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Focal: Fix Committed Status in openssh source package in Hirsute: Won't Fix Status in openssh source package in Impish: Won't Fix Bug description: [Impact] The problem here is straightforward. The case is to fix manpages. They need to reflect a change done to the code some time ago. That problem might be annoying for users before being fixed. Backport upstream fix to Focal Origin: https://github.com/openssh/openssh-portable/commit/53ea05e09b04fd7b6dea66b42b34d65fe61b9636 [Test Plan] Make a container for testing: First option: $ lxc launch ubuntu:focal focal-test $ lxc shell focal-test Simply install the openssh package using ‘apt install’ and check ssh_config and sshd_config. Acutal results: 1. Create a container using steps from above. 2. Type in man ssh_config and check that as well as the sshd_config. 3. You should spot the ssh-rsa entries in the manpage within the CASignatureAlgorithms section. Expected results: 1. Create a container using steps from above. 2. Type in man ssh_config and check that as well as the sshd_config. 3. You shouldn't spot the ssh-rsa entries in the manpage within the CASignatureAlgorithms section. [Where problems could occur] Any code change might change the behavior of the package in a specific situation and cause other errors. Next things which might cause regression are new dependencies which might not align and it is obvious the dependencies are upgraded and it might be a problem, but it is really unlikely. Even none of the rather generic cases above does apply here as we only change non-functional content in the form of the man page; Therefore the only risk is out of re-building the package which could pick up something from e.g. a changed toolchain. [Other Info] Fixing this is nice for the users, but OTOH very low severity and would cause a package download and update on almost every Ubuntu in the world. Therefore we will mark this as block-proposed and keep it in focal-proposed so that a later real update (security or functional) will pick this up from -proposed and then fix it in the field for real. ----------------------------original report------------------------------- The release of OpenSSH 8.2 has removed `ssh-rsa` from the default list of CACertificateAlgorithms. However the latest `openssh-client` still ships the man page for ssh_config(5) that contains the following description: CASignatureAlgorithms Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa ssh(1) will not accept host certificates signed using algorithms other than those specified. As far as I am concerned, `ssh-rsa` should be dropped from the list so as to match the behavior of ssh(1). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1871465/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
