[Bug 1871465] Re: ssh_config(5) contains outdated information

Wed Aug 17 14:11:16 UTC 2022

> Fixing this is nice for the users, but OTOH very low severity and
would cause a package download and update on almost every Ubuntu in the
world. Therefore we will mark this as block-proposed and keep it in
focal-proposed so that a later real update (security or functional) will
pick this up from -proposed and then fix it in the field for real.

Note that then the tag should be block-proposed-focal, not block-
proposed.

** Tags removed: block-proposed
** Tags added: block-proposed-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1871465

Title:
  ssh_config(5) contains outdated information

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Focal:
  Triaged
Status in openssh source package in Hirsute:
  Won't Fix
Status in openssh source package in Impish:
  Won't Fix

Bug description:
  [Impact]

  The problem here is straightforward. 
  The case is to fix manpages. They need to reflect a change done to the code some time ago. That problem might be annoying for users before being fixed. 

  Backport upstream fix to Focal
  Origin: 
  https://github.com/openssh/openssh-portable/commit/53ea05e09b04fd7b6dea66b42b34d65fe61b9636

  [Test Plan]

  Make a container for testing:

  First option:
  $ lxc launch images:ubuntu/bionic focal-test
  $ lxc shell focal-test

  Simply install the openssh package using ‘apt install’ and check both ssh_config.5 and sshd_config.5 files. You should be able to spot the ‘ssh_rsa’ in these files.

  [Where problems could occur]

  Any code change might change the behavior of the package in a specific
  situation and cause other errors.

  Next things which might cause regression are new dependencies which
  might not align and it is obvious the dependencies are upgraded and it
  might be a problem, but it is really unlikely.

  Even none of the rather generic cases above does apply here as we only
  change non-functional content in the form of the man page; Therefore
  the only risk is out of re-building the package which could pick up
  something from e.g. a changed toolchain.

  [Other Info]

  Fixing this is nice for the users, but OTOH very low severity and would cause a package download and update on almost every Ubuntu in the world. Therefore we will mark this as block-proposed and keep it in focal-proposed so that a later real update (security or functional) will pick this up from -proposed and then fix it in the field for real.

  ----------------------------original
  report-------------------------------

  The release of OpenSSH 8.2 has removed `ssh-rsa` from the default list
  of CACertificateAlgorithms. However the latest `openssh-client` still
  ships the man page for ssh_config(5) that contains the following
  description:

       CASignatureAlgorithms
               Specifies which algorithms are allowed for signing of certificates
               by certificate authorities (CAs).  The default is:

                     ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
                     ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

               ssh(1) will not accept host certificates signed using algorithms
               other than those specified.

  As far as I am concerned, `ssh-rsa` should be dropped from the list so
  as to match the behavior of ssh(1).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1871465/+subscriptions