FYI - Colin has merged the fix, uploaded to Debian and synced to Zesty.
But the sync is blocked by an issue with another bundled fix (see bug 1668093).
Just checked affected Releases for the SRUs to be prepared:
- Trusty: not affected
- Xenial: affected
- Yakkety: affected
That is just the set I prepare the SRU for anyway, as discussed including the
fix in my prep.
And adding a proper SRU Template here now + bug tasks ...
** Description changed:
+ [Impact]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+ explanation of how the upload fixes this bug.
+
+ [Test Case]
+
+ * Further evolving from the simplification Josh provided:
+ Testcase:
+ $ release=xenial
+ $ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-client
+ $ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-server
+ $ lxc exec ${release}-test-ssh-port-scan-server -- sed -i 's/Port 22/Port
2222/' /etc/ssh/sshd_config
+ $ lxc exec ${release}-test-ssh-port-scan-server -- service ssh restart
+ $ IP=$(lxc exec ${release}-test-ssh-port-scan-server -- hostname --ip-address)
+ $ lxc exec ${release}-test-ssh-port-scan-client -- ssh-keyscan -H -p 2222
${IP}
+
+ # See the port in the Hash still
+
+ # Install the fixed version in *-client and see the port gone from the
+ output
+
+ [Regression Potential]
+
+ * Change is limited to ssh-keyscan (not any touching other parts of openssh)
+ * Fix is from upstream (no "Ubuntu special" change)
+ * Fix is small and "only" changing string creation (11 lines touched)
+ So overall the regression potential should be low.
+
+ [Other Info]
+
+ * n/a
+
+
+ ---
+
When I use the port option with ssh-keygen, the result is not compatible
with ssh known_host file format.
UBUNTU VERSION :
================
lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
-
BAD :
============
:~/.ssh$ cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
:~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...]
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
# [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Enabling compatibility mode for protocol 2.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC:
<implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
[|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...]
ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we see the port number because it is not hashed !
GOOD :
============
rm ~/.ssh/known_hosts
:~/$ ssh -p [...port...] [...snip...]
The authenticity of host '[[...snip...]]:[...port...]
([[...snip...]]:[...port...])' can't be established.
ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added
'[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list
of known hosts.
- [...snip...]@[...snip...]'s password:
+ [...snip...]@[...snip...]'s password:
:~/$ !cat
cat ~/.ssh/known_hosts
|1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs=
ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
|1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8=
ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we cannot see the port number as it is well hashed !
REMARKS :
==============
Same problem has already reported here (on macOS):
https://github.com/ansible/ansible-modules-extras/issues/2651
It seems that ssh-keyscan version and open-ssh version differs :
dpkg -l | grep openssh :: ii openssh-client 1:7.2p2-4ubuntu2.1 [...]
ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat
OpenSSH* compat 0x04000000
It is very annoying because I am trying to manage hand installed VMs
with Ansible. For that I want to automate SSH host keys storing in
known_hosts database. And because of this bug I can't. (ansible KIKIN
project in development).
Thank you,
BR,
Gautier HUSSON.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1670745
Title:
ssh-keyscan : bad host signature when using port option
To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1670745/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
