[Bug 1871465] Re: ssh_config(5) contains outdated information

Michał Małoszewski 1871465 at bugs.launchpad.net
Fri Oct 14 16:01:26 UTC 2022 

First of all, I have changed the SRU description in 'Test Plan' section a bit, to be more precisely. We could assume the fix didn't work if I would leave it as it did before.
I've added information that we should look for the changes within the specific area in the manpage, so the steps are obvious now.

Fix works, package 1:8.2p1-4ubuntu0.6 fixes the bug.

I've created the focal container using steps from the [Test Plan]
section listed above in the Bug Description and inside that container I
typed in:

$ apt policy openssh-server

The output:

Installed: 1:8.2p1-4ubuntu0.5
  Candidate: 1:8.2p1-4ubuntu0.6
  Version table:
     1:8.2p1-4ubuntu0.6 500
        500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
 *** 1:8.2p1-4ubuntu0.5 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1:8.2p1-4ubuntu0.2 500
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
     1:8.2p1-4 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages


Then I have typed in:

$ man sshd_config 
and
$ man ssh_config

I've noticed that nothing has changed there. So the problem still
existed, because as we could see in the output, the package version was
not the one where the fix is.

Then I've upgraded both openssh-server and openssh-client using:
$ apt install openssh-server=1:8.2p1-4ubuntu0.6
$ apt install openssh-client=1:8.2p1-4ubuntu0.6

Later I've typed in:

$ apt policy openssh-server
to check if installed version is changed and we see that we have new version installed (with fix)

 Installed: 1:8.2p1-4ubuntu0.6
  Candidate: 1:8.2p1-4ubuntu0.6
  Version table:
 *** 1:8.2p1-4ubuntu0.6 500
        500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1:8.2p1-4ubuntu0.5 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
     1:8.2p1-4ubuntu0.2 500
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
     1:8.2p1-4 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages


Finally when I opened the manpage, typing:
$ man ssh_config

the problem did not exist, so the fix works.



** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1871465

Title:
  ssh_config(5) contains outdated information

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Focal:
  Fix Committed
Status in openssh source package in Hirsute:
  Won't Fix
Status in openssh source package in Impish:
  Won't Fix

Bug description:
  [Impact]

  The problem here is straightforward.
  The case is to fix manpages. They need to reflect a change done to the code some time ago. That problem might be annoying for users before being fixed.

  Backport upstream fix to Focal
  Origin:
  https://github.com/openssh/openssh-portable/commit/53ea05e09b04fd7b6dea66b42b34d65fe61b9636

  [Test Plan]

  Make a container for testing:

  First option:
  $ lxc launch ubuntu:focal focal-test
  $ lxc shell focal-test

  Simply install the openssh package using ‘apt install’ and check
  ssh_config and sshd_config.

  Acutal results:

  1. Create a container using steps from above.
  2. Type in man ssh_config and check that as well as the sshd_config.
  3. You should spot the ssh-rsa entries in the manpage within the CASignatureAlgorithms section.

  Expected results:

  1. Create a container using steps from above.
  2. Type in man ssh_config and check that as well as the sshd_config.
  3. You shouldn't spot the ssh-rsa entries in the manpage within the CASignatureAlgorithms section.

  [Where problems could occur]

  Any code change might change the behavior of the package in a specific
  situation and cause other errors.

  Next things which might cause regression are new dependencies which
  might not align and it is obvious the dependencies are upgraded and it
  might be a problem, but it is really unlikely.

  Even none of the rather generic cases above does apply here as we only
  change non-functional content in the form of the man page; Therefore
  the only risk is out of re-building the package which could pick up
  something from e.g. a changed toolchain.

  [Other Info]

  Fixing this is nice for the users, but OTOH very low severity and
  would cause a package download and update on almost every Ubuntu in
  the world. Therefore we will mark this as block-proposed and keep it
  in focal-proposed so that a later real update (security or functional)
  will pick this up from -proposed and then fix it in the field for
  real.

  ----------------------------original
  report-------------------------------

  The release of OpenSSH 8.2 has removed `ssh-rsa` from the default list
  of CACertificateAlgorithms. However the latest `openssh-client` still
  ships the man page for ssh_config(5) that contains the following
  description:

       CASignatureAlgorithms
               Specifies which algorithms are allowed for signing of certificates
               by certificate authorities (CAs).  The default is:

                     ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
                     ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

               ssh(1) will not accept host certificates signed using algorithms
               other than those specified.

  As far as I am concerned, `ssh-rsa` should be dropped from the list so
  as to match the behavior of ssh(1).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1871465/+subscriptions

More information about the foundations-bugs mailing list