** Description changed:

- The upstream opkssh had to change the certificate generation due to
- changes in upstream openssh. this makes  certificates generated with
- version >= 0.14 incompatible with the opkssh server component in ubuntu.
- opkssh 0.15 has a flag that can be used to generate a certificate that
- is compatible with older versions but not with the newer versions.
+ [ Impact ]
  
- See https://github.com/openpubkey/opkssh/issues/522 for details.
+ The upstream change in certificate generation in opkssh version >= 0.14
+ has caused incompatibility with the opkssh verify component in Ubuntu.
+ Certificates generated with opkssh >= 0.14 will not work with older
+ versions. Version 0.15 introduces a compatibility flag to generate
+ certificates for older versions, but those certificates are incompatible
+ with with newer versions.
  
- Ubuntu Version:
- Description:    Ubuntu 26.04 LTS
- Release:        26.04
+ [ Test Case ]
  
- Installed package Version
- opkssh:
-   Installed: 0.10.0-3
-   Candidate: 0.10.0-3
-   Version table:
-  *** 0.10.0-3 500
-         500 http://archive.ubuntu.com/ubuntu resolute/universe amd64 Packages
-         100 /var/lib/dpkg/status
+ Prequesites to reproduce the bug 
+  * reuires an openid connect server like e.g. keycloak
+  * setup openssh server with opkssh from ubuntu resolute repository
+  * install and configure opkssh >= 0.14 on your client (operating system 
doesn't matter)
+ 
+ Run
+  * opkssh login
+  * ssh [email protected]
+ 
+ the login fails due to the newly introduced wildcard principal
+ 
+ [ Where problems could occur ]
+ 
+ Patching the verify logic could introduce certificate validation issues.
+ It is important to test that old and new certificates are sucessfully
+ validated. Worst case scenario would be the introduction of an
+ authorization bypass or a user lockout.
+ 
+ For this reason the fix for the verify logic is a 1:1 copy of the
+ upstream changes.
+ 
+ [ Other Info ]
+ 
+ Upstream also patches `commands/login.go‎`. These changes would be
+ needed to login into newer servers. Might be interesting for another
+ patch

** Description changed:

  [ Impact ]
  
  The upstream change in certificate generation in opkssh version >= 0.14
  has caused incompatibility with the opkssh verify component in Ubuntu.
  Certificates generated with opkssh >= 0.14 will not work with older
  versions. Version 0.15 introduces a compatibility flag to generate
  certificates for older versions, but those certificates are incompatible
  with with newer versions.
  
  [ Test Case ]
  
- Prequesites to reproduce the bug 
-  * reuires an openid connect server like e.g. keycloak
-  * setup openssh server with opkssh from ubuntu resolute repository
-  * install and configure opkssh >= 0.14 on your client (operating system 
doesn't matter)
+ Prequesites to reproduce the bug
+  * reuires an openid connect server like e.g. keycloak
+  * setup openssh server with opkssh from ubuntu resolute repository
+  * install and configure opkssh >= 0.14 on your client (operating system 
doesn't matter)
  
  Run
-  * opkssh login
-  * ssh [email protected]
+  * opkssh login
+  * ssh [email protected]
  
  the login fails due to the newly introduced wildcard principal
  
  [ Where problems could occur ]
  
  Patching the verify logic could introduce certificate validation issues.
  It is important to test that old and new certificates are sucessfully
- validated. Worst case scenario would be the introduction of an
- authorization bypass or a user lockout.
+ validated (use opkssh <=0.13 and >=0.14). Worst case scenario would be
+ the introduction of an authorization bypass or a user lockout.
  
  For this reason the fix for the verify logic is a 1:1 copy of the
  upstream changes.
  
  [ Other Info ]
  
  Upstream also patches `commands/login.go‎`. These changes would be
  needed to login into newer servers. Might be interesting for another
  patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2158289

Title:
  opkssh server component won't accept certificates with from newer
  clients

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opkssh/+bug/2158289/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to