Focal verification
[INSTALLED PKG VERSION]
chlo@BIG-HAL:~$ apt-cache policy openssh-server
openssh-server:
Installed: 1:8.2p1-4ubuntu0.4
Candidate: 1:8.2p1-4ubuntu0.4
Version table:
*** 1:8.2p1-4ubuntu0.4 400
400 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
100 /var/lib/dpkg/status
1:8.2p1-4ubuntu0.3 500
500 http://gb.archive.ubuntu.com/ubuntu focal-updates/main amd64
Packages
1:8.2p1-4ubuntu0.2 500
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
1:8.2p1-4 500
500 http://gb.archive.ubuntu.com/ubuntu focal/main amd64 Packages
[PROCEDURE]
Create the keys/certs needed
``ssh-keygen -t rsa -b 4096 -f host_ca -C host_ca`` (no passphrase)
``ssh-keygen -f ssh_host_rsa_key -N '' -b 4096 -t rsa``
``ssh-keygen -s host_ca -I localhost -h -n localhost -V +52w
ssh_host_rsa_key.pub``
Copied ssh_host_rsa_key* files over to /etc/ssh and added the following to
/etc/ssh/sshd_config
``HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub``
Restarted sshd using systemctl and added ``@cert-authority localhost
ssh-rsa abcdefg`` (ssh-rsa abcdefg is the contents of host_ca.pub) to
~/.ssh/known_hosts
Finally, running
ssh -vv chlo@localhost 2>&1 | grep "Server"
debug1: Server host certificate: ssh-rsa-cert-...@openssh.com
SHA256:s2gq1xBSdetCarwElgQd0NbjJbiE3iLDxFtJqDhBFF4, serial 0 ID "localhost" CA
ssh-rsa SHA256:v8ZgezKD9Zw/Ns8I0W6mfvxCAo9jv3WznUYAFhfPfCU valid from
2022-01-05T22:46:00 to 2023-01-04T22:47:11
debug2: Server host certificate hostname: localhost
which tells us the certificate was seen and used
** Tags removed: verification-needed-hirsute verification-needed-impish
** Tags added: verification-done-hirsute verification-done-impish
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
Fix Committed
Status in openssh source package in Hirsute:
Fix Committed
Status in openssh source package in Impish:
Fix Committed
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream
[Impact]
* HostCertificate and HostKeyAgent are not working together in sshd due
to a mismatched certificate's public key and private key. The function `
`sshkey_equal_public()`` incorrectly compares the certificate's public
key with a private key, never finding a match. The impact is that sshd
cannot use said certificate *even though* its private key is indeed in
ssh-agent.
* What it should do is compare the certificate's public key with a
public key in `sensitive_data`.
* Having this SRU-ed is a direct ask from one of the major cloud partners.
They are currently using a customised version of the package to work
around this issue, and we would like them to use a package directly from
our own archive.
* Looping through sensitive_data.host_pubkeys[j] *instead* of
sensitive_data.host_keys[j] fixes the issue
[https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936]
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
vs.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
[Test Plan]
* Due to the empirical nature of this bug, the test is quite straight
forward. *Without* the fix, one cannot use certificates to authenticate
successfully (e.g. ``sshd -c /path/to/certificate.pem``)
whereas with the fix (assuming the certificate matches a host key) you
can create a channel.
[Where problems could occur]
* This has already been fixed both upstream and in Jammy without issue.
However, if a regression where to happen it would probably be in one of
two ways:
* A dependency/reverse-dependency issue stemming from the version
bump that will happen if this fix is ported. We mitigate this risk
by testing for these exact types of regression,
and by selecting carefully what to label this new version.
* Accidentally breaking a set up that was made to work around this
bug in the first place. The risk of this is lower, as the most
likely fix is the one being implemented here anyway. Though
to mitigate this more we can describe exactly what is happening
with the fix in the changelog.
This affects every version of openssh back until Focal, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
