[Bug 1581487] [NEW] Openssh update silently deletes CA certificates / public keys from known_hosts

Def definitelynotafed at gmail.com
Fri May 13 11:52:31 UTC 2016 

Public bug reported:

Presumably linked to the two references [1,2] below, following a recent
update to openssh-client on 14.04, the certificates / public keys for my
SSH CAs were silently removed from my known_hosts file.

This behaviour was repeated across two out of two machines on which I
use SSH certificates.

The code[1] indicates that the existing known_hosts file should be moved
to known_hosts.old prior to old host keys being rotated.  A
known_hosts.old file was found in the .ssh directory, still containing
the CA certificates.

The changelog states that this rotation of host keys will only occur
when UpdateHostkeys is turned on in ssh_config.  This directive was not
defined in either of my ssh_config files.


[1] http://bxr.su/OpenBSD/usr.bin/ssh/hostfile.c#hostfile_replace_entries
[2] https://launchpad.net/ubuntu/wily/+source/openssh/+changelog

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: openssh-server 1:6.6p1-2ubuntu2.7
ProcVersionSignature: Ubuntu 3.13.0-85.129-generic 3.13.11-ckt36
Uname: Linux 3.13.0-85-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.19
Architecture: amd64
CurrentDesktop: Unity
Date: Fri May 13 12:39:11 2016
InstallationDate: Installed on 2014-09-09 (612 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)
upstart.ssh.override: manual

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug trusty

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1581487

Title:
  Openssh update silently deletes CA certificates / public keys from
  known_hosts

Status in openssh package in Ubuntu:
  New

Bug description:
  Presumably linked to the two references [1,2] below, following a
  recent update to openssh-client on 14.04, the certificates / public
  keys for my SSH CAs were silently removed from my known_hosts file.

  This behaviour was repeated across two out of two machines on which I
  use SSH certificates.

  The code[1] indicates that the existing known_hosts file should be
  moved to known_hosts.old prior to old host keys being rotated.  A
  known_hosts.old file was found in the .ssh directory, still containing
  the CA certificates.

  The changelog states that this rotation of host keys will only occur
  when UpdateHostkeys is turned on in ssh_config.  This directive was
  not defined in either of my ssh_config files.


  [1] http://bxr.su/OpenBSD/usr.bin/ssh/hostfile.c#hostfile_replace_entries
  [2] https://launchpad.net/ubuntu/wily/+source/openssh/+changelog

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: openssh-server 1:6.6p1-2ubuntu2.7
  ProcVersionSignature: Ubuntu 3.13.0-85.129-generic 3.13.11-ckt36
  Uname: Linux 3.13.0-85-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.19
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Fri May 13 12:39:11 2016
  InstallationDate: Installed on 2014-09-09 (612 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
  SourcePackage: openssh
  UpgradeStatus: No upgrade log present (probably fresh install)
  upstart.ssh.override: manual

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1581487/+subscriptions

More information about the foundations-bugs mailing list