[Bug 287256] [NEW] hardy ppc (ports.ubuntu.com) includes broken (old) openssh-client package which only generates comprimized keys.
Launchpad Bug Tracker
287256 at bugs.launchpad.net
Sat Dec 13 15:43:52 GMT 2008
You have been subscribed to a public bug:
The version of openssh-client included in hardy for ppc (from ports.ubuntu.com) will only create compromised keys.
Additionally the version on ppc does not even include ssh-vulnkey.
On the ppc machine:
bbogart at ubuntu:~$ dpkg -l openssh-client | grep ^ii
ii openssh-client 1:4.7p1-8ubuntu1 secure shell client, an rlogin/rsh/rcp replacement
bbogart at ubuntu:~$ dpkg -L openssh-client | grep vuln
bbogart at ubuntu:~$
On the x86 machine:
bbogart at aporia:~$ dpkg -l openssh-client | grep ^ii
ii openssh-client 1:4.7p1-8ubuntu1.2 secure shell client, an rlogin/rsh/rcp replacement
bbogart at aporia:~$ dpkg -L openssh-client | grep vuln
/usr/share/man/man1/ssh-vulnkey.1.gz
/usr/bin/ssh-vulnkey
Here is the whole testing transaction for key generation on the ppc
machine:
bbogart at ubuntu:~$ uname -a
Linux ubuntu 2.6.24-16-powerpc #1 Thu Apr 10 12:48:35 UTC 2008 ppc GNU/Linux
bbogart at ubuntu:~$ ssh-keygen -t rsa -f test
Generating public/private rsa key pair.
test already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in test.
Your public key has been saved in test.pub.
The key fingerprint is:
40:5d:14:f9:b7:b3:2a:4c:05:db:28:62:e0:f1:19:32 bbogart at ubuntu
bbogart at ubuntu:~$ scp test.pub aporia:
bbogart at aporia's password:
test.pub 100% 396 0.4KB/s 00:00
bbogart at ubuntu:~$ ssh aporia
bbogart at aporia's password:
Linux aporia 2.6.24-19-rt #1 SMP PREEMPT RT Thu Aug 21 02:08:03 UTC 2008 i686
...
bbogart at aporia:~$ ssh-vulnkey test.pub
COMPROMISED: 2048 40:5d:14:f9:b7:b3:2a:4c:05:db:28:62:e0:f1:19:32 bbogart at ubuntu
Should ppc bugs be reported somewhere else? (ports.ubuntu.com specific?)
Thanks,
.b.
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
hardy ppc (ports.ubuntu.com) includes broken (old) openssh-client package which only generates comprimized keys.
https://bugs.launchpad.net/bugs/287256
You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu.
More information about the Ubuntu-server-bugs
mailing list