[Bug 1668093] Re: ssh-keygen -H corrupts already hashed entries

Fri Mar 17 08:17:19 UTC 2017

Thanks Colin,
I have new bileto tickets with all the fixes prepared:

Xenial: https://bileto.ubuntu.com/#/ticket/2597
Yakkety: https://bileto.ubuntu.com/#/ticket/2598

Although things looked good on testing at first (local amd64), you can
see there that arm and s390x seem to fail now.

ARM:
run test connect.sh ...
ssh-keygen -lf /tmp/autopkgtest.U8eLXQ/autopkgtest_tmp/tree/regress/t12.out.pub | grep test-comment-1234 >/dev/null
ssh connect with protocol 2 failed
make: *** [t-exec] Error 1
failed simple connect

s390x:
run test forwarding.sh ...
failed copy of /bin/ls
cmp: EOF on /data/adttmp/autopkgtest-virt-lxc.shared.j0fd9gxe/downtmp/autopkgtest_tmp/tree/regress/copy
corrupted copy of /bin/ls
failed local and remote forwarding

These reproduce in 4/4 cases :-/
Then I checked history and it seems those are accepted and ignored cases all through Xenial/Yakkety.
See:
http://autopkgtest.ubuntu.com/packages/openssh/xenial/armhf
http://autopkgtest.ubuntu.com/packages/openssh/yakkety/armhf
http://autopkgtest.ubuntu.com/packages/openssh/xenial/s390x
http://autopkgtest.ubuntu.com/packages/openssh/yakkety/s390x

Same failure since:
- Xenial openssh 1:7.2p2-4ubuntu2.1
- Yakkety systemd/231-3

That said, Colin - would you mind to sponsor by hitting "publish" on those two tickets after you synced the latest Debian to Zesty?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1668093

Title:
  ssh-keygen -H corrupts already hashed entries

Status in openssh package in Ubuntu:
  Fix Committed
Status in openssh source package in Xenial:
  Triaged
Status in openssh source package in Yakkety:
  Triaged
Status in openssh package in Debian:
  Fix Released

Bug description:
  [Impact]

   * re-execution of ssh-keygen -H can clobber known-hosts
   * Due to that users might get spurious re-warnings of known systems. For Automation it might be worse as it might stop to work when re-executed.

   * This is a regression from Trusty (working) to Xenial (fail) upgrade
  due to an upstream bug in the versions we merged.

   * This is a backport of the upstream fix

  [Test Case]

   * Pick a Host IP to scan keys from that you can reach and replies with SSH, then run the following trivial loop:
    $ ssh-keyscan ${IP} > ~/.ssh/known_hosts; for i in $(seq 1 20); do ssh-keygen -H; diff -Naur ~/.ssh/known_hosts.old ~/.ssh/known_hosts; done

   * Expected: no diff reported, since already hashed entries should be left as-is
   * Without fix: - diff in the hashes

  [Regression Potential]

   * The fix is upstream and soon in Debian as well, so we are not
  custom diverting here.

   * The risk should be minimal as this only changes ssh-keygen so
  despite openssh being really critical this doesn't affect ssh itself
  at all.

  [Other Info]

   * n/a

  ---

  xenial @ 1:7.2p2-4ubuntu2.1 on amd64 has this bug. trusty @
  1:6.6p1-2ubuntu2.8 on amd64 does not have this bug. I have not tested
  any other ssh versions.

  The following should reproduce the issue:

  #ssh-keyscan XXXX > ~/.ssh/known_hosts
  # ssh root at XXXXX
  Permission denied (publickey).
  # ssh-keygen -H
  /root/.ssh/known_hosts updated.
  Original contents retained as /root/.ssh/known_hosts.old
  WARNING: /root/.ssh/known_hosts.old contains unhashed entries
  Delete this file to ensure privacy of hostnames
  # ssh root at XXXXXX
  Permission denied (publickey).
  # ssh-keygen -H
  /root/.ssh/known_hosts updated.
  Original contents retained as /root/.ssh/known_hosts.old
  WARNING: /root/.ssh/known_hosts.old contains unhashed entries
  Delete this file to ensure privacy of hostnames
  # ssh root at XXXXX
  The authenticity of host 'XXXXXX' can't be established.
  RSA key fingerprint is XXXXXX.
  Are you sure you want to continue connecting (yes/no)?

  # diff known_hosts.old known_hosts
  1c1
  < |1|BoAbRpUE3F5AzyprJcbjdepeDh8=|x/1AcaLxh45FlShmVQnlgx2qjxY= XXXXX
  ---
  > |1|nTPsoLxCugQyZi3pqOa2pc/cX64=|bUH5qwZlZPp8msMGHdLtslf3Huk= XXXXX

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1668093/+subscriptions