Your message dated Tue, 16 Apr 2024 18:52:14 +0000
with message-id <e1rwnug-00awqh...@fasolo.debian.org>
and subject line Bug#1008675: fixed in pam-ssh-agent-auth 0.10.3-8
has caused the Debian Bug report #1008675,
regarding pam-ssh-agent-auth: Replace MD5 key fingerprints with SHA256
fingerprints as printed by ssh-keygen -l
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1008675: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008675
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: pam-ssh-agent-auth
Severity: minor
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu jammy ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* debian/patches/fingerprint_sha256.patch: Use SHA256 with base64
encoding for key fingerprints. MD5 fingerprints are deprecated,
OpenSSH has switched to SHA256 since OpenSSH 6.8.
This will make the fingerprints compatible with ssh-keygen -l and allow
the package to work in FIPS mode. (LP: #1964486)
Thanks for considering the patch.
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy
APT policy: (1001, 'jammy')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-23-generic (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch
pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch
--- pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch
1970-01-01 01:00:00.000000000 +0100
+++ pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch
2022-03-17 15:31:12.000000000 +0100
@@ -0,0 +1,116 @@
+Description: Switch key fingerprint hash algorithm from MD5 to SHA256.
+ Use the newer base64 encoding format introduced in OpenSSH 6.8 to produce
+ fingerprints compatible with ssh-keygen -l.
+Forwarded: yes
+Bug: https://github.com/jbeverly/pam_ssh_agent_auth/pull/37
+Bug-Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486
+Author: Tobias Heider <tobias.hei...@canonical.com>
+
+Index: pam-ssh-agent-auth-0.10.3/key.c
+===================================================================
+--- pam-ssh-agent-auth-0.10.3.orig/key.c
++++ pam-ssh-agent-auth-0.10.3/key.c
+@@ -281,11 +281,8 @@ pamsshagentauth_key_fingerprint_raw(cons
+ *dgst_raw_length = 0;
+
+ switch (dgst_type) {
+- case SSH_FP_MD5:
+- md = EVP_md5();
+- break;
+- case SSH_FP_SHA1:
+- md = EVP_sha1();
++ case SSH_FP_SHA256:
++ md = EVP_sha256();
+ break;
+ default:
+ pamsshagentauth_fatal("key_fingerprint_raw: bad digest type %d",
+@@ -338,6 +335,31 @@ pamsshagentauth_key_fingerprint_raw(cons
+ }
+
+ static char *
++key_fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
++{
++ char *ret;
++ size_t plen = strlen(alg) + 1;
++ size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
++ int r;
++
++ if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
++ return NULL;
++ pamsshagentauth_strlcpy(ret, alg, rlen);
++ pamsshagentauth_strlcat(ret, ":", rlen);
++ if (dgst_raw_len == 0)
++ return ret;
++ if ((r = pamsshagentauth___b64_ntop(dgst_raw, dgst_raw_len,
++ ret + plen, rlen - plen)) == -1) {
++ explicit_bzero(ret, rlen);
++ free(ret);
++ return NULL;
++ }
++ /* Trim padding characters from end */
++ ret[strcspn(ret, "=")] = '\0';
++ return ret;
++}
++
++static char *
+ key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
+ {
+ char *retval;
+@@ -405,6 +427,7 @@ key_fingerprint_bubblebabble(u_char *dgs
+ char *
+ pamsshagentauth_key_fingerprint(const Key *k, enum fp_type dgst_type, enum
fp_rep dgst_rep)
+ {
++ const char *dgst_name;
+ char *retval = NULL;
+ u_char *dgst_raw;
+ u_int dgst_raw_len;
+@@ -416,6 +439,16 @@ pamsshagentauth_key_fingerprint(const Ke
+ case SSH_FP_HEX:
+ retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
+ break;
++ case SSH_FP_BASE64:
++ switch (dgst_type) {
++ case SSH_FP_SHA256:
++ dgst_name = "SHA256";
++ break;
++ default:
++ goto done;
++ }
++ retval = key_fingerprint_b64(dgst_name, dgst_raw, dgst_raw_len);
++ break;
+ case SSH_FP_BUBBLEBABBLE:
+ retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
+ break;
+@@ -424,6 +457,7 @@ pamsshagentauth_key_fingerprint(const Ke
+ dgst_rep);
+ break;
+ }
++ done:
+ memset(dgst_raw, 0, dgst_raw_len);
+ pamsshagentauth_xfree(dgst_raw);
+ return retval;
+Index: pam-ssh-agent-auth-0.10.3/pam_user_key_allowed2.c
+===================================================================
+--- pam-ssh-agent-auth-0.10.3.orig/pam_user_key_allowed2.c
++++ pam-ssh-agent-auth-0.10.3/pam_user_key_allowed2.c
+@@ -102,7 +102,7 @@ pamsshagentauth_check_authkeys_file(FILE
+ found_key = 1;
+ pamsshagentauth_logit("matching key found: file/command %s, line
%lu", file,
+ linenum);
+- fp = pamsshagentauth_key_fingerprint(found, SSH_FP_MD5,
SSH_FP_HEX);
++ fp = pamsshagentauth_key_fingerprint(found, SSH_FP_SHA256,
SSH_FP_BASE64);
+ pamsshagentauth_logit("Found matching %s key: %s",
+ pamsshagentauth_key_type(found), fp);
+ pamsshagentauth_xfree(fp);
+Index: pam-ssh-agent-auth-0.10.3/key.h
+===================================================================
+--- pam-ssh-agent-auth-0.10.3.orig/key.h
++++ pam-ssh-agent-auth-0.10.3/key.h
+@@ -50,6 +50,7 @@ enum fp_type {
+ };
+ enum fp_rep {
+ SSH_FP_HEX,
++ SSH_FP_BASE64,
+ SSH_FP_BUBBLEBABBLE
+ };
+
diff -Nru pam-ssh-agent-auth-0.10.3/debian/patches/series
pam-ssh-agent-auth-0.10.3/debian/patches/series
--- pam-ssh-agent-auth-0.10.3/debian/patches/series 2020-04-10
18:48:24.000000000 +0200
+++ pam-ssh-agent-auth-0.10.3/debian/patches/series 2022-03-17
15:31:12.000000000 +0100
@@ -2,3 +2,4 @@
openssl-1.1.1-1.patch
openssl-1.1.1-2.patch
lp1869512.patch
+fingerprint_sha256.patch
--- End Message ---
--- Begin Message ---
Source: pam-ssh-agent-auth
Source-Version: 0.10.3-8
Done: Petter Reinholdtsen <p...@debian.org>
We believe that the bug you reported is fixed in the latest version of
pam-ssh-agent-auth, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1008...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Petter Reinholdtsen <p...@debian.org> (supplier of updated pam-ssh-agent-auth
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 16 Apr 2024 20:25:51 +0200
Source: pam-ssh-agent-auth
Architecture: source
Version: 0.10.3-8
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packa...@qa.debian.org>
Changed-By: Petter Reinholdtsen <p...@debian.org>
Closes: 1008675
Changes:
pam-ssh-agent-auth (0.10.3-8) unstable; urgency=medium
.
* QA upload.
.
* Updated vcs in d/control to Salsa.
* Added d/gbp.conf to enforce the use of pristine-tar.
* Updated Standards-Version from 4.6.2 to 4.7.0.
* Removed no longer relevant branch information from d/gbp.conf.
* Enabled hardeing in d/rules.
* Added 1000-clean-ed25519.patch to make source rebuildable.
* Switched key fingerprint hash algorithm from MD5 to SHA256. (Closes:
#1008675)
Checksums-Sha1:
18374b833be88df77bf0fc22582197bc71023087 1983 pam-ssh-agent-auth_0.10.3-8.dsc
a0380fff58cf50049f60e9f446ccebbcc4e6782a 17036
pam-ssh-agent-auth_0.10.3-8.debian.tar.xz
f10a47e13c372bda06975620269bd8a1ca06b37a 6474
pam-ssh-agent-auth_0.10.3-8_source.buildinfo
Checksums-Sha256:
73e919d8442aa92fa8f8874725922706466110e21343225537e221c22567ecb7 1983
pam-ssh-agent-auth_0.10.3-8.dsc
7348bd3d040ffa7726e55b793c4325c3c6518228275eee2621cafcf053bdd351 17036
pam-ssh-agent-auth_0.10.3-8.debian.tar.xz
72e4024ed7bbbf4353222ebbb2a5e559fdd82cf9fa65cb87dabfb6b26f856023 6474
pam-ssh-agent-auth_0.10.3-8_source.buildinfo
Files:
20d2c368dc27ce42cd37edd7f557d39d 1983 libs optional
pam-ssh-agent-auth_0.10.3-8.dsc
58fd6ce1c87ce7879e7c0a9c3c3aaf48 17036 libs optional
pam-ssh-agent-auth_0.10.3-8.debian.tar.xz
1f685840f6a2aa8a7509883f9ef755b4 6474 libs optional
pam-ssh-agent-auth_0.10.3-8_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEERqLf4owIeylOb9kkgSgKoIe6+w4FAmYewvIACgkQgSgKoIe6
+w4vIA/+LLrxS1OQaU41NyJ3WlxNQGNNhzqHmu0UjfhoLIcRzROwp/KB3fOW8qJP
wiLQ/2jwmzCUitQx2L+TCKuK/K1pLGrhWEqWKpshuQ6tPWloL1SHQMg/OH2UYBTm
Wmnhz23DL9pPoeUBmfS+TJD+5vB//ENKGLtDYggViszdCHsi8bWliCDEcQXvBYHF
7+k9tvju/uKJfi0rEJcUVkDVkHHyu+f3gb0DZ0DwgTrHq4XopHdqIub4WvqqlwUX
eEENTTfVYsa03iYVhoyvXMJcxGCnmwaHLXC7PRBhMNMFaDMFInctlQfDAtZpZIVO
OoeDLK/UjBERwbfI6hZtH5279mGlQLVuqpTeEHkPse7yx+7tyUBU/Ke77SmZrw53
1hJaMu9H3V8mg+4EYKXCrBKACgCEcSgkENaUBzsNxoDdFzt9YLes4/ogOk8xVkbA
y8RiNPKYNDnFwoKNSmZvdWsJA7FhYBJGgUZQnbSmbst2NUb/oJtHvcTTdlXyg8kR
Hz4whzBL9bs6OGxpBDp/TOi4+o7v+3LgkVCiZw7HHsuQ52Fkmc0DdSeksQc76n1f
r2SHW7qs7Hmk5BjMdfe+BzIL/1yS7OTTRCZ8UUkGgcC1TEyLIuMu7cetxBLJmRsS
IvgrWizqa6CNn25sZScu/mNfRR2j75aUMyS/yaKzrss4tMVxDOw=
=uYad
-----END PGP SIGNATURE-----
pgpB47nw3nUxe.pgp
Description: PGP signature
--- End Message ---
