Please investigate the gvfs autopkgtests failures for impish and focal as these are blocking the release of openssh for those releases and subsequently the release for bionic too.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1966591 Title: ssh-keygen -R changes known_hosts file permissions (mode) Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Fix Committed Status in openssh source package in Focal: Fix Committed Status in openssh source package in Impish: Fix Released Status in openssh source package in Jammy: Fix Released Bug description: [Impact] When using "ssh-keygen -R" to remove a host from "known_hosts" the command changes permissions on the file. This can cause problems particularly when used on the global "known_hosts" file (/etc/ssh/ssh_known_hosts), because then only root can read it. Programs running non-interactively as non-root users suddenly fail to SSH and it's not immediately obvious why. [Test Plan] The problem happens on Bionic and Focal. $ lxc launch ubuntu-daily:focal openssh-bug1966591 $ lxc shell openssh-bug1966591 # ssh-keyscan github.com > test_known_hosts # chmod 644 test_known_hosts # ssh-keygen -R github.com -f test_known_hosts # stat test_known_hosts ... Access: (0600/-rw-------) ... ... [Where problems could occur] The upstream patch is very simple and it is unlikely that it will cause any regressions. An indirect problem that could occur is that users might expect to see a more strict set of permissions on a "known_hosts" file after using "ssh-keygen -R", but arguably this is not defined behaviour and should not be relied upon. Of course, there is always a (very) small risk of introducing problems when rebuilding packages using newer versions of its dependencies (especially on Bionic, because it's older). [Original Description] When I use ssh-keygen -R to remove a host from known_hosts it changes permissions on the file. This causes problems particularly when used on the global known hosts file (/etc/ssh/ssh_known_hosts), because then only root can read it. Programs running non-interactively as non- root users suddenly fail to SSH and it's not immediately obvious why. To reproduce: $ ssh-keyscan github.com >test_known_hosts $ chmod 741 test_known_hosts $ ssh-keygen -R github.com -f test_known_hosts $ stat test_known_hosts ... Access: (0600/-rw-------) ... Expected behavior: file permissions remain unchanged (mode 0741 in this example). $ lsb_release -rd Description: Ubuntu 18.04.6 LTS Release: 18.04 $ apt-cache policy openssh-client openssh-client: Installed: 1:7.6p1-4ubuntu0.6 To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1966591/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
