** Description changed: - The upstream opkssh had to change the certificate generation due to - changes in upstream openssh. this makes certificates generated with - version >= 0.14 incompatible with the opkssh server component in ubuntu. - opkssh 0.15 has a flag that can be used to generate a certificate that - is compatible with older versions but not with the newer versions. + [ Impact ] - See https://github.com/openpubkey/opkssh/issues/522 for details. + The upstream change in certificate generation in opkssh version >= 0.14 + has caused incompatibility with the opkssh verify component in Ubuntu. + Certificates generated with opkssh >= 0.14 will not work with older + versions. Version 0.15 introduces a compatibility flag to generate + certificates for older versions, but those certificates are incompatible + with with newer versions. - Ubuntu Version: - Description: Ubuntu 26.04 LTS - Release: 26.04 + [ Test Case ] - Installed package Version - opkssh: - Installed: 0.10.0-3 - Candidate: 0.10.0-3 - Version table: - *** 0.10.0-3 500 - 500 http://archive.ubuntu.com/ubuntu resolute/universe amd64 Packages - 100 /var/lib/dpkg/status + Prequesites to reproduce the bug + * reuires an openid connect server like e.g. keycloak + * setup openssh server with opkssh from ubuntu resolute repository + * install and configure opkssh >= 0.14 on your client (operating system doesn't matter) + + Run + * opkssh login + * ssh [email protected] + + the login fails due to the newly introduced wildcard principal + + [ Where problems could occur ] + + Patching the verify logic could introduce certificate validation issues. + It is important to test that old and new certificates are sucessfully + validated. Worst case scenario would be the introduction of an + authorization bypass or a user lockout. + + For this reason the fix for the verify logic is a 1:1 copy of the + upstream changes. + + [ Other Info ] + + Upstream also patches `commands/login.go`. These changes would be + needed to login into newer servers. Might be interesting for another + patch
** Description changed: [ Impact ] The upstream change in certificate generation in opkssh version >= 0.14 has caused incompatibility with the opkssh verify component in Ubuntu. Certificates generated with opkssh >= 0.14 will not work with older versions. Version 0.15 introduces a compatibility flag to generate certificates for older versions, but those certificates are incompatible with with newer versions. [ Test Case ] - Prequesites to reproduce the bug - * reuires an openid connect server like e.g. keycloak - * setup openssh server with opkssh from ubuntu resolute repository - * install and configure opkssh >= 0.14 on your client (operating system doesn't matter) + Prequesites to reproduce the bug + * reuires an openid connect server like e.g. keycloak + * setup openssh server with opkssh from ubuntu resolute repository + * install and configure opkssh >= 0.14 on your client (operating system doesn't matter) Run - * opkssh login - * ssh [email protected] + * opkssh login + * ssh [email protected] the login fails due to the newly introduced wildcard principal [ Where problems could occur ] Patching the verify logic could introduce certificate validation issues. It is important to test that old and new certificates are sucessfully - validated. Worst case scenario would be the introduction of an - authorization bypass or a user lockout. + validated (use opkssh <=0.13 and >=0.14). Worst case scenario would be + the introduction of an authorization bypass or a user lockout. For this reason the fix for the verify logic is a 1:1 copy of the upstream changes. [ Other Info ] Upstream also patches `commands/login.go`. These changes would be needed to login into newer servers. Might be interesting for another patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2158289 Title: opkssh server component won't accept certificates with from newer clients To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opkssh/+bug/2158289/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
