Bug#926613: openssh-server: Locked out of server after upgrading to buster.

Sun, 07 Apr 2019 13:48:38 -0700 

Package: openssh-server
Severity: serious
Justification: Policy 8.2

Dear Maintainer,

Due to a change in how some options are handled in sshd_config, upgrading to 
buster can result in the user getting locked out of their system if the config 
is not updated.

Probably the most likely cause (and what occurred to me) is if the 
PubkeyAcceptedKeyTypes includes ssh-rsa and the admin logs in with an RSA key. 
After upgrading, the user will no longer be able to connect to the server.
The solution for this case is to replace ssh-rsa with rsa-sha2-256,rsa-sha2-512.

At the very least this needs to be mentioned in the upgrade instructions in the 
release notes for buster.


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-47-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=C.UTF-8 (charmap=locale: Cannot set 
LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_GB:en (charmap=locale: Cannot set LC_MESSAGES to default 
locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.71
ii  dpkg                   1.19.6
ii  libaudit1              1:2.8.4-2
ii  libc6                  2.28-8
ii  libcom-err2            1.44.5-1
ii  libgssapi-krb5-2       1.17-2
ii  libkrb5-3              1.17-2
ii  libpam-modules         1.3.1-5
ii  libpam-runtime         1.3.1-5
ii  libpam0g               1.3.1-5
ii  libselinux1            2.8-1+b1
ii  libssl1.1              1.1.1b-1
ii  libsystemd0            241-1
pn  libwrap0               <none>
ii  lsb-base               10.2019031300
ii  openssh-client         1:7.9p1-9
pn  openssh-sftp-server    <none>
pn  procps                 <none>
pn  ucf                    <none>
ii  zlib1g                 1:1.2.11.dfsg-1

Versions of packages openssh-server recommends:
ii  libpam-systemd  241-1
pn  ncurses-term    <none>
ii  xauth           1:1.0.10-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

Reply via email to