** Description changed: [ Impact ] The upstream change in certificate generation in opkssh version >= 0.14 has caused incompatibility with the opkssh verify component in Ubuntu. Certificates generated with opkssh >= 0.14 will not work with older versions. Version 0.15 introduces a compatibility flag to generate certificates for older versions, but those certificates are incompatible with with newer versions. [ Test Case ] Prequesites to reproduce the bug * reuires an openid connect server like e.g. keycloak * setup openssh server with opkssh from ubuntu resolute repository * install and configure opkssh >= 0.14 on your client (operating system doesn't matter) Run * opkssh login * ssh [email protected] the login fails due to the newly introduced wildcard principal + I've verified the merge proposal in + https://code.launchpad.net/~felixvollmer/ubuntu/+source/opkssh/+git/opkssh/+merge/507446 + with an ubuntu server. I installed the patched opkssh version + (0.10.0-3ubuntu0.1) and verified with different opkssh clients versions. + After the patch the certificates were accepted without any issue. + + Tested Versions: + client version opkssh v0.15: + opkssh login --principals= + opkssh login + + client version opkssh v0.14: + opkssh login + + client version opkssh v0.13 + opkssh login + [ Where problems could occur ] Patching the verify logic could introduce certificate validation issues. It is important to test that old and new certificates are sucessfully validated (use opkssh <=0.13 and >=0.14). Worst case scenario would be the introduction of an authorization bypass or a user lockout. For this reason the fix for the verify logic is a 1:1 copy of the upstream changes. [ Other Info ] Upstream also patches `commands/login.go`. These changes would be needed to login into newer servers. Might be interesting for another patch
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2158289 Title: opkssh server component won't accept certificates with from newer clients To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opkssh/+bug/2158289/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
