Mantic verification In all architectures, except i386, the new test passed.
Here is a log from the amd64 run[1]: 4333s autopkgtest [16:47:27]: test ssh-gssapi: [----------------------- 4333s ## Setting up test environment 4333s ## Creating Kerberos realm EXAMPLE.FAKE 4333s Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.FAKE', 4333s master key name 'K/m...@example.fake' 4333s ## Creating principals 4333s Authenticating as principal root/ad...@example.fake with password. 4333s Principal "testuser1...@example.fake" created. 4333s Authenticating as principal root/ad...@example.fake with password. 4333s Principal "host/sshd-gssapi.example.f...@example.fake" created. 4333s ## Extracting service principal host/sshd-gssapi.example.fake 4333s Authenticating as principal root/ad...@example.fake with password. 4333s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. 4333s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. 4333s ## Adjusting /etc/krb5.conf 4333s ## TESTS 4333s 4333s ## TEST test_gssapi_login 4333s ## Configuring sshd for gssapi-with-mic authentication 4333s ## Restarting ssh 4333s ## Obtaining TGT 4333s Password for testuser1...@example.fake: 4333s Ticket cache: FILE:/tmp/krb5cc_0 4333s Default principal: testuser1...@example.fake 4333s 4333s Valid starting Expires Service principal 4333s 04/05/24 16:47:27 04/06/24 02:47:27 krbtgt/example.f...@example.fake 4333s renew until 04/06/24 16:47:27 4333s 4333s ## ssh'ing into localhost using gssapi-with-mic auth 4333s Warning: Permanently added 'sshd-gssapi.example.fake' (ED25519) to the list of known hosts. 4334s Fri Apr 5 16:47:27 UTC 2024 4334s 4334s ## checking that we got a service ticket for ssh (host/) 4334s 04/05/24 16:47:27 04/06/24 02:47:27 host/sshd-gssapi.example.fake@ 4334s Ticket server: host/sshd-gssapi.example.f...@example.fake 4334s 4334s ## Checking ssh logs to confirm gssapi-with-mic auth was used 4334s Apr 05 16:47:27 sshd-gssapi.example.fake sshd[1688]: Accepted gssapi-with-mic for testuser1620 from 127.0.0.1 port 44922 ssh2: testuser1...@example.fake 4334s ## PASS test_gssapi_login 4334s 4334s ## TEST test_gssapi_keyex_login 4334s ## Configuring sshd for gssapi-keyex authentication 4334s ## Restarting ssh 4334s ## Obtaining TGT 4334s Password for testuser1...@example.fake: 4334s Ticket cache: FILE:/tmp/krb5cc_0 4334s Default principal: testuser1...@example.fake 4334s 4334s Valid starting Expires Service principal 4334s 04/05/24 16:47:28 04/06/24 02:47:28 krbtgt/example.f...@example.fake 4334s renew until 04/06/24 16:47:28 4334s 4334s ## ssh'ing into localhost using gssapi-keyex auth 4334s Fri Apr 5 16:47:28 UTC 2024 4334s 4334s ## checking that we got a service ticket for ssh (host/) 4334s 04/05/24 16:47:28 04/06/24 02:47:28 host/sshd-gssapi.example.fake@ 4334s Ticket server: host/sshd-gssapi.example.f...@example.fake 4334s 4334s ## Checking ssh logs to confirm gssapi-keyex auth was used 4334s Apr 05 16:47:28 sshd-gssapi.example.fake sshd[1758]: Accepted gssapi-keyex for testuser1620 from 127.0.0.1 port 44930 ssh2: testuser1...@example.fake 4334s ## PASS test_gssapi_keyex_login 4334s 4334s ## ALL TESTS PASSED 4334s ## Cleaning up 4334s autopkgtest [16:47:28]: test ssh-gssapi: -----------------------] 4335s ssh-gssapi PASS 4335s autopkgtest [16:47:29]: test ssh-gssapi: - - - - - - - - - - results - - - - - - - - - - 4335s autopkgtest [16:47:29]: @@@@@@@@@@@@@@@@@@@@ summary 4335s regress PASS 4335s systemd-socket-activation PASS 4335s ssh-gssapi PASS Mantic verification succeeded. 1. https://autopkgtest.ubuntu.com/results/autopkgtest- mantic/mantic/amd64/o/openssh/20240405_164750_3a52b@/log.gz ** Tags removed: verification-needed-mantic ** Tags added: verification-done-mantic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2053146 Title: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Jammy: Fix Committed Status in openssh source package in Mantic: Fix Committed Status in openssh source package in Noble: Fix Released Bug description: [ Impact ] The gssapi-keyex authentication mechanism has been inadvertently broken in openssh. It comes from a distro patch[1], and while the patch still applied, it was no longer correct. Without the fix, sshd will fail to start if gssapi-keyex is listed in the AuthenticationMethods of the server, and if not, sshd will still start, but gssapi-keyex will not be available. [ Test Plan ] This update, besides fixing the patch, also adds a new autopkgtest to the package, which tests both gssapi-with-mic ("normal" gssapi, which is not affected by this bug), and gssapi-keyex, which, before this update, did not work. The test plan is to run the new ssh-gssapi autopkgtest and verify it succeeds. [ Where problems could occur ] ssh is a critical piece of infrastructure, and problems with it could have catastrophic consequences. The service itself has a test command before it starts up to verify the syntax of the config file, but that test is not applied on shutdown, so a restart with an invalid config file could still leave sshd dead. The patch adds a change to an authentication structure, but that change is already present in the upstream code, and we are just updating it in the new gssapi-keyex code (introduced by the distro[1] patch, already present). Therefore, mistakes here should manifest themselves just in the gssapi-keyex code, which wasn't working anyway. Effectively, though, we are enabling a new authentication mechanism in sshd, one that was not supposed to have been removed, but was broken by mistake. [ Other Info ] The fact no-one noticed this problem for more than two years could be telling that there are not many users of this authentication mechanism out there. The same applies to debian: it has also been broken for a while there. Maybe we should drop it for future ubuntu releases, since upstream refuses to take it in. 1. https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/gssapi.patch [ Original Description ] The Authmethod struct now have 4 entries but the initialization of the method_gsskeyex in the debian/patches/gssapi.patch only have 3 entries. The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as === @@ -104,7 +104,8 @@ struct Authctxt { struct Authmethod { char *name; - int (*userauth)(struct ssh *); + char *synonym; + int (*userauth)(struct ssh *, const char *); int *enabled; }; === The incorrect code does === +Authmethod method_gsskeyex = { + "gssapi-keyex", + userauth_gsskeyex, + &options.gss_authentication +}; === but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex This is now (change from Focal) causing gssapi-keyex to be disabled. === lsb_release -rd Description: Ubuntu 22.04.3 LTS Release: 22.04 === apt-cache policy openssh-server openssh-server: Installed: 1:8.9p1-3ubuntu0.6 Candidate: 1:8.9p1-3ubuntu0.6 Version table: *** 1:8.9p1-3ubuntu0.6 500 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 1:8.9p1-3 500 500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages === To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
