** Description changed:

  [ Impact ]
  
  The upstream change in certificate generation in opkssh version >= 0.14
  has caused incompatibility with the opkssh verify component in Ubuntu.
  Certificates generated with opkssh >= 0.14 will not work with older
  versions. Version 0.15 introduces a compatibility flag to generate
  certificates for older versions, but those certificates are incompatible
  with with newer versions.
  
  [ Test Case ]
  
  Prequesites to reproduce the bug
   * reuires an openid connect server like e.g. keycloak
   * setup openssh server with opkssh from ubuntu resolute repository
   * install and configure opkssh >= 0.14 on your client (operating system 
doesn't matter)
  
  Run
   * opkssh login
   * ssh [email protected]
  
  the login fails due to the newly introduced wildcard principal
  
+ I've verified the merge proposal in
+ 
https://code.launchpad.net/~felixvollmer/ubuntu/+source/opkssh/+git/opkssh/+merge/507446
+ with an ubuntu server. I installed the patched opkssh version
+ (0.10.0-3ubuntu0.1) and verified with different opkssh clients versions.
+ After the patch the certificates were accepted without any issue.
+ 
+ Tested Versions:
+ client version opkssh v0.15:
+ opkssh login --principals=
+ opkssh login
+ 
+ client version opkssh v0.14:
+ opkssh login
+ 
+ client version opkssh v0.13
+ opkssh login
+ 
  [ Where problems could occur ]
  
  Patching the verify logic could introduce certificate validation issues.
  It is important to test that old and new certificates are sucessfully
  validated (use opkssh <=0.13 and >=0.14). Worst case scenario would be
  the introduction of an authorization bypass or a user lockout.
  
  For this reason the fix for the verify logic is a 1:1 copy of the
  upstream changes.
  
  [ Other Info ]
  
  Upstream also patches `commands/login.go‎`. These changes would be
  needed to login into newer servers. Might be interesting for another
  patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2158289

Title:
  opkssh server component won't accept certificates with from newer
  clients

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opkssh/+bug/2158289/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to