Thanks Colin, I have new bileto tickets with all the fixes prepared: Xenial: https://bileto.ubuntu.com/#/ticket/2597 Yakkety: https://bileto.ubuntu.com/#/ticket/2598
Although things looked good on testing at first (local amd64), you can see there that arm and s390x seem to fail now. ARM: run test connect.sh ... ssh-keygen -lf /tmp/autopkgtest.U8eLXQ/autopkgtest_tmp/tree/regress/t12.out.pub | grep test-comment-1234 >/dev/null ssh connect with protocol 2 failed make: *** [t-exec] Error 1 failed simple connect s390x: run test forwarding.sh ... failed copy of /bin/ls cmp: EOF on /data/adttmp/autopkgtest-virt-lxc.shared.j0fd9gxe/downtmp/autopkgtest_tmp/tree/regress/copy corrupted copy of /bin/ls failed local and remote forwarding These reproduce in 4/4 cases :-/ Then I checked history and it seems those are accepted and ignored cases all through Xenial/Yakkety. See: http://autopkgtest.ubuntu.com/packages/openssh/xenial/armhf http://autopkgtest.ubuntu.com/packages/openssh/yakkety/armhf http://autopkgtest.ubuntu.com/packages/openssh/xenial/s390x http://autopkgtest.ubuntu.com/packages/openssh/yakkety/s390x Same failure since: - Xenial openssh 1:7.2p2-4ubuntu2.1 - Yakkety systemd/231-3 That said, Colin - would you mind to sponsor by hitting "publish" on those two tickets after you synced the latest Debian to Zesty? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1668093 Title: ssh-keygen -H corrupts already hashed entries Status in openssh package in Ubuntu: Fix Committed Status in openssh source package in Xenial: Triaged Status in openssh source package in Yakkety: Triaged Status in openssh package in Debian: Fix Released Bug description: [Impact] * re-execution of ssh-keygen -H can clobber known-hosts * Due to that users might get spurious re-warnings of known systems. For Automation it might be worse as it might stop to work when re-executed. * This is a regression from Trusty (working) to Xenial (fail) upgrade due to an upstream bug in the versions we merged. * This is a backport of the upstream fix [Test Case] * Pick a Host IP to scan keys from that you can reach and replies with SSH, then run the following trivial loop: $ ssh-keyscan ${IP} > ~/.ssh/known_hosts; for i in $(seq 1 20); do ssh-keygen -H; diff -Naur ~/.ssh/known_hosts.old ~/.ssh/known_hosts; done * Expected: no diff reported, since already hashed entries should be left as-is * Without fix: - diff in the hashes [Regression Potential] * The fix is upstream and soon in Debian as well, so we are not custom diverting here. * The risk should be minimal as this only changes ssh-keygen so despite openssh being really critical this doesn't affect ssh itself at all. [Other Info] * n/a --- xenial @ 1:7.2p2-4ubuntu2.1 on amd64 has this bug. trusty @ 1:6.6p1-2ubuntu2.8 on amd64 does not have this bug. I have not tested any other ssh versions. The following should reproduce the issue: #ssh-keyscan XXXX > ~/.ssh/known_hosts # ssh root@XXXXX Permission denied (publickey). # ssh-keygen -H /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old WARNING: /root/.ssh/known_hosts.old contains unhashed entries Delete this file to ensure privacy of hostnames # ssh root@XXXXXX Permission denied (publickey). # ssh-keygen -H /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old WARNING: /root/.ssh/known_hosts.old contains unhashed entries Delete this file to ensure privacy of hostnames # ssh root@XXXXX The authenticity of host 'XXXXXX' can't be established. RSA key fingerprint is XXXXXX. Are you sure you want to continue connecting (yes/no)? # diff known_hosts.old known_hosts 1c1 < |1|BoAbRpUE3F5AzyprJcbjdepeDh8=|x/1AcaLxh45FlShmVQnlgx2qjxY= XXXXX --- > |1|nTPsoLxCugQyZi3pqOa2pc/cX64=|bUH5qwZlZPp8msMGHdLtslf3Huk= XXXXX To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1668093/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
