[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong
Andreas Hasenack
2053146 at bugs.launchpad.net
Mon Apr 8 21:03:36 UTC 2024
Jammy verification
In all architectures (except i386, which is a known failure everywhere)
the new ssh-gssapi test passed.
Here is the run on amd64[1]:
3438s autopkgtest [16:33:21]: test ssh-gssapi: [-----------------------
3438s ## Setting up test environment
3438s ## Creating Kerberos realm EXAMPLE.FAKE
3438s Loading random data
3438s Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.FAKE',
3438s master key name 'K/M at EXAMPLE.FAKE'
3438s ## Creating principals
3438s Authenticating as principal root/admin at EXAMPLE.FAKE with password.
3438s Principal "testuser1457 at EXAMPLE.FAKE" created.
3438s Authenticating as principal root/admin at EXAMPLE.FAKE with password.
3438s Principal "host/sshd-gssapi.example.fake at EXAMPLE.FAKE" created.
3438s ## Extracting service principal host/sshd-gssapi.example.fake
3438s Authenticating as principal root/admin at EXAMPLE.FAKE with password.
3438s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
3438s Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
3438s ## Adjusting /etc/krb5.conf
3438s ## TESTS
3438s
3438s ## TEST test_gssapi_login
3438s ## Configuring sshd for gssapi-with-mic authentication
3438s ## Restarting ssh
3438s ## Obtaining TGT
3438s Password for testuser1457 at EXAMPLE.FAKE:
3438s Ticket cache: FILE:/tmp/krb5cc_0
3438s Default principal: testuser1457 at EXAMPLE.FAKE
3438s
3438s Valid starting Expires Service principal
3438s 04/05/24 16:33:20 04/06/24 02:33:20 krbtgt/EXAMPLE.FAKE at EXAMPLE.FAKE
3438s renew until 04/06/24 16:33:20
3438s
3438s ## ssh'ing into localhost using gssapi-with-mic auth
3438s Warning: Permanently added 'sshd-gssapi.example.fake' (ED25519) to the list of known hosts.
3439s Fri Apr 5 16:33:21 UTC 2024
3439s
3439s ## checking that we got a service ticket for ssh (host/)
3439s 04/05/24 16:33:21 04/06/24 02:33:20 host/sshd-gssapi.example.fake@
3439s Ticket server: host/sshd-gssapi.example.fake at EXAMPLE.FAKE
3439s
3439s ## Checking ssh logs to confirm gssapi-with-mic auth was used
3439s Apr 05 16:33:21 sshd-gssapi.example.fake sshd[1518]: Accepted gssapi-with-mic for testuser1457 from 127.0.0.1 port 50668 ssh2: testuser1457 at EXAMPLE.FAKE
3439s ## PASS test_gssapi_login
3439s
3439s ## TEST test_gssapi_keyex_login
3439s ## Configuring sshd for gssapi-keyex authentication
3439s ## Restarting ssh
3439s ## Obtaining TGT
3439s Password for testuser1457 at EXAMPLE.FAKE:
3439s Ticket cache: FILE:/tmp/krb5cc_0
3439s Default principal: testuser1457 at EXAMPLE.FAKE
3439s
3439s Valid starting Expires Service principal
3439s 04/05/24 16:33:21 04/06/24 02:33:21 krbtgt/EXAMPLE.FAKE at EXAMPLE.FAKE
3439s renew until 04/06/24 16:33:21
3439s
3439s ## ssh'ing into localhost using gssapi-keyex auth
3439s Fri Apr 5 16:33:21 UTC 2024
3439s
3439s ## checking that we got a service ticket for ssh (host/)
3439s 04/05/24 16:33:21 04/06/24 02:33:21 host/sshd-gssapi.example.fake@
3439s Ticket server: host/sshd-gssapi.example.fake at EXAMPLE.FAKE
3439s
3439s ## Checking ssh logs to confirm gssapi-keyex auth was used
3439s Apr 05 16:33:21 sshd-gssapi.example.fake sshd[1558]: Accepted gssapi-keyex for testuser1457 from 127.0.0.1 port 50670 ssh2: testuser1457 at EXAMPLE.FAKE
3439s ## PASS test_gssapi_keyex_login
3439s
3439s ## ALL TESTS PASSED
3439s ## Cleaning up
3439s autopkgtest [16:33:22]: test ssh-gssapi: -----------------------]
3439s autopkgtest [16:33:22]: test ssh-gssapi: - - - - - - - - - - results - - - - - - - - - -
3439s ssh-gssapi PASS
3440s autopkgtest [16:33:23]: @@@@@@@@@@@@@@@@@@@@ summary
3440s regress PASS
3440s ssh-gssapi PASS
Jammy verification succeeded.
1. https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/o/openssh/20240405_163345_c46fa@/log.gz
** Tags removed: verification-needed-jammy
** Tags added: verification-done-jammy
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2053146
Title:
openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is
slightly wrong
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Jammy:
Fix Committed
Status in openssh source package in Mantic:
Fix Committed
Status in openssh source package in Noble:
Fix Released
Bug description:
[ Impact ]
The gssapi-keyex authentication mechanism has been inadvertently
broken in openssh. It comes from a distro patch[1], and while the
patch still applied, it was no longer correct.
Without the fix, sshd will fail to start if gssapi-keyex is listed in
the AuthenticationMethods of the server, and if not, sshd will still
start, but gssapi-keyex will not be available.
[ Test Plan ]
This update, besides fixing the patch, also adds a new autopkgtest to
the package, which tests both gssapi-with-mic ("normal" gssapi, which
is not affected by this bug), and gssapi-keyex, which, before this
update, did not work.
The test plan is to run the new ssh-gssapi autopkgtest and verify it
succeeds.
[ Where problems could occur ]
ssh is a critical piece of infrastructure, and problems with it could
have catastrophic consequences. The service itself has a test command
before it starts up to verify the syntax of the config file, but that
test is not applied on shutdown, so a restart with an invalid config
file could still leave sshd dead.
The patch adds a change to an authentication structure, but that
change is already present in the upstream code, and we are just
updating it in the new gssapi-keyex code (introduced by the distro[1]
patch, already present). Therefore, mistakes here should manifest
themselves just in the gssapi-keyex code, which wasn't working anyway.
Effectively, though, we are enabling a new authentication mechanism in
sshd, one that was not supposed to have been removed, but was broken
by mistake.
[ Other Info ]
The fact no-one noticed this problem for more than two years could be
telling that there are not many users of this authentication mechanism
out there. The same applies to debian: it has also been broken for a
while there. Maybe we should drop it for future ubuntu releases, since
upstream refuses to take it in.
1.
https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/gssapi.patch
[ Original Description ]
The Authmethod struct now have 4 entries but the initialization of the
method_gsskeyex in the debian/patches/gssapi.patch only have 3
entries.
The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as
===
@@ -104,7 +104,8 @@ struct Authctxt {
struct Authmethod {
char *name;
- int (*userauth)(struct ssh *);
+ char *synonym;
+ int (*userauth)(struct ssh *, const char *);
int *enabled;
};
===
The incorrect code does
===
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
===
but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex
This is now (change from Focal) causing gssapi-keyex to be disabled.
===
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
===
apt-cache policy openssh-server
openssh-server:
Installed: 1:8.9p1-3ubuntu0.6
Candidate: 1:8.9p1-3ubuntu0.6
Version table:
*** 1:8.9p1-3ubuntu0.6 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1:8.9p1-3 500
500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages
===
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions
More information about the foundations-bugs
mailing list