Ubuntu
openssh package

ssh_config(5) contains outdated information

Bug #1871465 reported by iBug
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
Low
Unassigned
Focal
Fix Released
Wishlist
Michał Małoszewski
Hirsute
Won't Fix
Wishlist
Michał Małoszewski
Impish
Won't Fix
Wishlist
Michał Małoszewski

Bug Description

[Impact]

The problem here is straightforward.
The case is to fix manpages. They need to reflect a change done to the code some time ago. That problem might be annoying for users before being fixed.

Backport upstream fix to Focal
Origin:
https://github.com/openssh/openssh-portable/commit/53ea05e09b04fd7b6dea66b42b34d65fe61b9636

[Test Plan]

Make a container for testing:

First option:
$ lxc launch ubuntu:focal focal-test
$ lxc shell focal-test

Simply install the openssh package using ‘apt install’ and check ssh_config and sshd_config.

Acutal results:

1. Create a container using steps from above.
2. Type in man ssh_config and check that as well as the sshd_config.
3. You should spot the ssh-rsa entries in the manpage within the CASignatureAlgorithms section.

Expected results:

1. Create a container using steps from above.
2. Type in man ssh_config and check that as well as the sshd_config.
3. You shouldn't spot the ssh-rsa entries in the manpage within the CASignatureAlgorithms section.

[Where problems could occur]

Any code change might change the behavior of the package in a specific situation and cause other errors.

Next things which might cause regression are new dependencies which might not align and it is obvious the dependencies are upgraded and it might be a problem, but it is really unlikely.

Even none of the rather generic cases above does apply here as we only change non-functional content in the form of the man page; Therefore the only risk is out of re-building the package which could pick up something from e.g. a changed toolchain.

[Other Info]

Fixing this is nice for the users, but OTOH very low severity and would cause a package download and update on almost every Ubuntu in the world. Therefore we will mark this as block-proposed and keep it in focal-proposed so that a later real update (security or functional) will pick this up from -proposed and then fix it in the field for real.

----------------------------original report-------------------------------

The release of OpenSSH 8.2 has removed `ssh-rsa` from the default list of CACertificateAlgorithms. However the latest `openssh-client` still ships the man page for ssh_config(5) that contains the following description:

     CASignatureAlgorithms
             Specifies which algorithms are allowed for signing of certificates
             by certificate authorities (CAs). The default is:

                   ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
                   ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

             ssh(1) will not accept host certificates signed using algorithms
             other than those specified.

As far as I am concerned, `ssh-rsa` should be dropped from the list so as to match the behavior of ssh(1).

See original description

Related branches

~michal-maloszewski99/ubuntu/+source/openssh:fix-outdated-ssh
Christian Ehrhardt  (community): Approve
Andreas Hasenack: Needs Fixing
git-ubuntu import: Pending requested
Canonical Server Reporter: Pending requested
Diff: 73 lines (+51/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/fix-outdated-info-ssh-conf.patch (+43/-0)
debian/patches/series (+1/-0)
~michal-maloszewski99/ubuntu/+source/openssh:fix-outdated-ssh
git-ubuntu import: Pending requested
Andreas Hasenack: Pending requested
Canonical Server Reporter: Pending requested
Diff: 101 lines (+67/-0) (has conflicts)
3 files modified
debian/changelog (+9/-0)
debian/patches/fix-outdated-info-ssh-conf.patch (+54/-0)
debian/patches/series (+4/-0)
~michal-maloszewski99/ubuntu/+source/openssh:fix-outdated-ssh
Andreas Hasenack: Needs Fixing
Canonical Server Reporter: Pending requested
git-ubuntu import: Pending requested
Diff: 84 lines (+62/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/fix-outdated-info-ssh-conf.patch (+54/-0)
debian/patches/series (+1/-0)
iBug (ibugone)
description: updated
Rafael David Tinoco (rafaeldtinoco)
Changed in openssh (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

This has been fixed upstream, as shown in [1] and is available in jammy.

[1] https://github.com/openssh/openssh-portable/commit/53ea05e09b04fd7b6dea66b42b34d65fe61b9636

Changed in openssh (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Paride Legovini (paride) wrote :

As the fix is in Jammy I think we can mark the devel task as Fix Released.

I doubt this is SRU material as the impact of the bug is really low; maybe it could be done with a staged upload [1]. I'm marking the SRU tasks as Triaged as the bug is well understood.

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Staging_an_upload

Changed in openssh (Ubuntu):
status: Fix Committed → Fix Released
Changed in openssh (Ubuntu Focal):
status: New → Triaged
Changed in openssh (Ubuntu Hirsute):
status: New → Triaged
Changed in openssh (Ubuntu Impish):
status: New → Triaged
Changed in openssh (Ubuntu Focal):
importance: Undecided → Wishlist
Changed in openssh (Ubuntu Hirsute):
importance: Undecided → Wishlist
Changed in openssh (Ubuntu Impish):
importance: Undecided → Wishlist
Athos Ribeiro (athos-ribeiro)
tags: added: bitesize
Michał Małoszewski (michal-maloszewski99)
Changed in openssh (Ubuntu Focal):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Changed in openssh (Ubuntu Hirsute):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Changed in openssh (Ubuntu Impish):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Both Hirsute and Impish are End of Life.
So there is no possibility to fix these ones.

Change will be SRUd to Focal for sure.

Changed in openssh (Ubuntu Hirsute):
status: Triaged → Won't Fix
Changed in openssh (Ubuntu Impish):
status: Triaged → Won't Fix
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

MP in inner review for some days

Christian Ehrhardt  (paelzer)
tags: added: block-proposed
Michał Małoszewski (michal-maloszewski99)
description: updated
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

With Michal: Marked block-proposed, added SRU content, re-reviewed and sponsored the upload to Focal-unapproved.

Revision history for this message
Robie Basak (racb) wrote :

> Fixing this is nice for the users, but OTOH very low severity and would cause a package download and update on almost every Ubuntu in the world. Therefore we will mark this as block-proposed and keep it in focal-proposed so that a later real update (security or functional) will pick this up from -proposed and then fix it in the field for real.

Note that then the tag should be block-proposed-focal, not block-proposed.

tags: added: block-proposed-focal
removed: block-proposed
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello iBug, or anyone else affected,

Accepted openssh into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:8.2p1-4ubuntu0.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openssh (Ubuntu Focal):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (openssh/1:8.2p1-4ubuntu0.6)

All autopkgtests for the newly accepted openssh (1:8.2p1-4ubuntu0.6) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.44.1-1ubuntu1.1 (arm64, amd64, ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Retrigerred tests and no regressions now.

Michał Małoszewski (michal-maloszewski99)
description: updated
Michał Małoszewski (michal-maloszewski99)
description: updated
Michał Małoszewski (michal-maloszewski99)
description: updated
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote (last edit ):

First of all, I have changed the SRU description in 'Test Plan' section a bit, to be more precisely. We could assume the fix didn't work if I would leave it as it did before.
I've added information that we should look for the changes within the specific area in the manpage, so the steps are obvious now.

Fix works, package 1:8.2p1-4ubuntu0.6 fixes the bug.

I've created the focal container using steps from the [Test Plan] section listed above in the Bug Description and inside that container I typed in:

$ apt policy openssh-server

The output:

Installed: 1:8.2p1-4ubuntu0.5
  Candidate: 1:8.2p1-4ubuntu0.6
  Version table:
     1:8.2p1-4ubuntu0.6 500
        500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
 *** 1:8.2p1-4ubuntu0.5 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1:8.2p1-4ubuntu0.2 500
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
     1:8.2p1-4 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages

Then I have typed in:

$ man sshd_config
and
$ man ssh_config

I've noticed that nothing has changed there and ssh-rsa entries still exist in the manpage within the CASignatureAlgorithms section. So the problem still existed, because as we could see in the output, the package version was not the one where the fix is.

Then I've upgraded both openssh-server and openssh-client using:
$ apt install openssh-server=1:8.2p1-4ubuntu0.6
$ apt install openssh-client=1:8.2p1-4ubuntu0.6

Later I've typed in:

$ apt policy openssh-server
to check if installed version is changed and we see that we have new version installed (with fix)

 Installed: 1:8.2p1-4ubuntu0.6
  Candidate: 1:8.2p1-4ubuntu0.6
  Version table:
 *** 1:8.2p1-4ubuntu0.6 500
        500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1:8.2p1-4ubuntu0.5 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
     1:8.2p1-4ubuntu0.2 500
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
     1:8.2p1-4 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages

Finally when I opened the manpage, typing:
$ man ssh_config

the problem did not exist, so the fix works.

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Paride Legovini (paride) wrote :

This popped up in triage as a stale bug, but looks like everything looks good here: openssh 1:8.2p1-4ubuntu0.6 is in focal-proposed, verification is done, migration is blocked by the block-proposed-focal tag (staged SRU).

Revision history for this message
Lena Voytek (lvoytek) wrote :

Unblocking since the fix for (LP: #2012298) is now available

tags: added: verification-done
removed: block-proposed-focal verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:8.2p1-4ubuntu0.7

---------------
openssh (1:8.2p1-4ubuntu0.7) focal; urgency=medium

  * d/p/lp2012298-upstream-fix-match-in-d-config.patch: Allow ssh_config.d/
    configuration files to correctly update the PasswordAuthentication setting
    (LP: #2012298)

 -- Lena Voytek <email address hidden> Mon, 03 Apr 2023 15:47:13 -0700

Changed in openssh (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.