[Bug 1966591] Autopkgtest regression report (openssh/1:8.2p1-4ubuntu0.5)

Ubuntu SRU Bot 1966591 at bugs.launchpad.net
Wed Apr 13 02:42:44 UTC 2022 

All autopkgtests for the newly accepted openssh (1:8.2p1-4ubuntu0.5) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

snapd/2.54.3+20.04.1ubuntu0.2 (ppc64el, s390x, arm64, amd64)
gvfs/1.44.1-1ubuntu1 (ppc64el, arm64)


Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-
migration/focal/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1966591

Title:
  ssh-keygen -R changes known_hosts file permissions (mode)

Status in portable OpenSSH:
  Unknown
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Bionic:
  Fix Committed
Status in openssh source package in Focal:
  Fix Committed
Status in openssh source package in Impish:
  Fix Released
Status in openssh source package in Jammy:
  Fix Released

Bug description:
  [Impact]

  When using "ssh-keygen -R" to remove a host from "known_hosts" the
  command changes permissions on the file.  This can cause problems
  particularly when used on the global "known_hosts" file
  (/etc/ssh/ssh_known_hosts), because then only root can read it.
  Programs running non-interactively as non-root users suddenly fail to
  SSH and it's not immediately obvious why.

  [Test Plan]

  The problem happens on Bionic and Focal.

  $ lxc launch ubuntu-daily:focal openssh-bug1966591
  $ lxc shell openssh-bug1966591
  # ssh-keyscan github.com > test_known_hosts
  # chmod 644 test_known_hosts
  # ssh-keygen -R github.com -f test_known_hosts
  # stat test_known_hosts
  ...
  Access: (0600/-rw-------) ...
  ...

  [Where problems could occur]

  The upstream patch is very simple and it is unlikely that it will
  cause any regressions.  An indirect problem that could occur is that
  users might expect to see a more strict set of permissions on a
  "known_hosts" file after using "ssh-keygen -R", but arguably this is
  not defined behaviour and should not be relied upon.  Of course, there
  is always a (very) small risk of introducing problems when rebuilding
  packages using newer versions of its dependencies (especially on
  Bionic, because it's older).

  [Original Description]

  When I use ssh-keygen -R to remove a host from known_hosts it changes
  permissions on the file. This causes problems particularly when used
  on the global known hosts file (/etc/ssh/ssh_known_hosts), because
  then only root can read it. Programs running non-interactively as non-
  root users suddenly fail to SSH and it's not immediately obvious why.

  To reproduce:

  $ ssh-keyscan github.com >test_known_hosts
  $ chmod 741 test_known_hosts
  $ ssh-keygen -R github.com -f test_known_hosts
  $ stat test_known_hosts
  ...
  Access: (0600/-rw-------) ...

  Expected behavior: file permissions remain unchanged (mode 0741 in
  this example).

  $ lsb_release -rd
  Description:	Ubuntu 18.04.6 LTS
  Release:	18.04

  $ apt-cache policy openssh-client
  openssh-client:
    Installed: 1:7.6p1-4ubuntu0.6

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1966591/+subscriptions

More information about the foundations-bugs mailing list