[Bug 1668093] Re: ssh-keygen -H corrupts already hashed entries

ChristianEhrhardt 1668093 at bugs.launchpad.net
Wed Mar 15 18:59:06 UTC 2017 

I did prepare in Bileto:
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2585
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2586

Associated autopkgtests ran fine:
https://bileto.ubuntu.com/excuses/2585/xenial.html

Also the openssh tests of the QA Test suite (https://git.launchpad.net
/qa-regression-testing) ran fine in Xenial/Yakkety VMs.

And finally the test for the explicit issue we are fixing here was
confirmed to be fixed on the Bileto PPAs.

Adding SRU Template now, but unfortunately (no core dev) I can't sponsor them myself, but the debdiff to do so can be picked from the tested Bileto ppas at:
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_39a8dbb93caf4ec889f8a1b7f69885db/bileto-2585/2017-03-15_13:33:40/xenial_openssh_content.diff
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_39a8dbb93caf4ec889f8a1b7f69885db/bileto-2586/2017-03-15_13:33:46/yakkety_openssh_content.diff

Eventually for Sponsorsing the easiest might be via bileto itself, IIRC one with permissions could also just hit "publish" on the two tickets - that might be the easiest way:
https://bileto.ubuntu.com/#/ticket/2585
https://bileto.ubuntu.com/#/ticket/2586

The autopkgtest showed some issues I want to look into first, therefore
(except if you know all these) do not sponsor yet. That also gives us
time to have the fixed sync to appear in zesty.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1668093

Title:
  ssh-keygen -H corrupts already hashed entries

Status in openssh package in Ubuntu:
  Fix Committed
Status in openssh source package in Xenial:
  Triaged
Status in openssh source package in Yakkety:
  Triaged
Status in openssh package in Debian:
  Fix Released

Bug description:
  [Impact]

   * re-execution of ssh-keygen -H can clobber known-hosts
   * Due to that users might get spurious re-warnings of known systems. For Automation it might be worse as it might stop to work when re-executed.

   * This is a regression from Trusty (working) to Xenial (fail) upgrade
  due to an upstream bug in the versions we merged.

   * This is a backport of the upstream fix

  [Test Case]

   * Pick a Host IP to scan keys from that you can reach and replies with SSH, then run the following trivial loop:
    $ ssh-keyscan ${IP} > ~/.ssh/known_hosts; for i in $(seq 1 20); do ssh-keygen -H; diff -Naur ~/.ssh/known_hosts.old ~/.ssh/known_hosts; done

   * Expected: no diff reported, since already hashed entries should be left as-is
   * Without fix: - diff in the hashes

  [Regression Potential]

   * The fix is upstream and soon in Debian as well, so we are not
  custom diverting here.

   * The risk should be minimal as this only changes ssh-keygen so
  despite openssh being really critical this doesn't affect ssh itself
  at all.

  [Other Info]
   
   * n/a

  
  ---

  xenial @ 1:7.2p2-4ubuntu2.1 on amd64 has this bug. trusty @
  1:6.6p1-2ubuntu2.8 on amd64 does not have this bug. I have not tested
  any other ssh versions.

  The following should reproduce the issue:

  #ssh-keyscan XXXX > ~/.ssh/known_hosts
  # ssh root at XXXXX
  Permission denied (publickey).
  # ssh-keygen -H
  /root/.ssh/known_hosts updated.
  Original contents retained as /root/.ssh/known_hosts.old
  WARNING: /root/.ssh/known_hosts.old contains unhashed entries
  Delete this file to ensure privacy of hostnames
  # ssh root at XXXXXX
  Permission denied (publickey).
  # ssh-keygen -H
  /root/.ssh/known_hosts updated.
  Original contents retained as /root/.ssh/known_hosts.old
  WARNING: /root/.ssh/known_hosts.old contains unhashed entries
  Delete this file to ensure privacy of hostnames
  # ssh root at XXXXX
  The authenticity of host 'XXXXXX' can't be established.
  RSA key fingerprint is XXXXXX.
  Are you sure you want to continue connecting (yes/no)?

  # diff known_hosts.old known_hosts
  1c1
  < |1|BoAbRpUE3F5AzyprJcbjdepeDh8=|x/1AcaLxh45FlShmVQnlgx2qjxY= XXXXX
  ---
  > |1|nTPsoLxCugQyZi3pqOa2pc/cX64=|bUH5qwZlZPp8msMGHdLtslf3Huk= XXXXX

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1668093/+subscriptions

More information about the foundations-bugs mailing list