[Bug 287256] [NEW] hardy ppc (ports.ubuntu.com) includes broken (old) openssh-client package which only generates comprimized keys.

Launchpad Bug Tracker 287256 at bugs.launchpad.net
Sat Dec 13 15:43:52 GMT 2008


You have been subscribed to a public bug:

The version of openssh-client included in hardy for ppc (from ports.ubuntu.com) will only create compromised keys.
Additionally the version on ppc does not even include ssh-vulnkey. 

On the ppc machine:

bbogart at ubuntu:~$ dpkg -l openssh-client | grep ^ii
ii  openssh-client             1:4.7p1-8ubuntu1           secure shell client, an rlogin/rsh/rcp replacement
bbogart at ubuntu:~$ dpkg -L openssh-client | grep vuln
bbogart at ubuntu:~$ 


On the x86 machine: 

bbogart at aporia:~$ dpkg -l openssh-client | grep ^ii
ii  openssh-client             1:4.7p1-8ubuntu1.2         secure shell client, an rlogin/rsh/rcp replacement
bbogart at aporia:~$ dpkg -L openssh-client | grep vuln
/usr/share/man/man1/ssh-vulnkey.1.gz
/usr/bin/ssh-vulnkey

Here is the whole testing transaction for key generation on the ppc
machine:

bbogart at ubuntu:~$ uname -a
Linux ubuntu 2.6.24-16-powerpc #1 Thu Apr 10 12:48:35 UTC 2008 ppc GNU/Linux
bbogart at ubuntu:~$ ssh-keygen -t rsa -f test
Generating public/private rsa key pair.
test already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in test.
Your public key has been saved in test.pub.
The key fingerprint is:
40:5d:14:f9:b7:b3:2a:4c:05:db:28:62:e0:f1:19:32 bbogart at ubuntu
bbogart at ubuntu:~$ scp test.pub aporia:
bbogart at aporia's password: 
test.pub                                                                                         100%  396     0.4KB/s   00:00    
bbogart at ubuntu:~$ ssh aporia
bbogart at aporia's password: 
Linux aporia 2.6.24-19-rt #1 SMP PREEMPT RT Thu Aug 21 02:08:03 UTC 2008 i686
...
bbogart at aporia:~$ ssh-vulnkey test.pub 
COMPROMISED: 2048 40:5d:14:f9:b7:b3:2a:4c:05:db:28:62:e0:f1:19:32 bbogart at ubuntu

Should ppc bugs be reported somewhere else? (ports.ubuntu.com specific?)

Thanks,
.b.

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
hardy ppc (ports.ubuntu.com) includes broken (old) openssh-client package which only generates comprimized keys.
https://bugs.launchpad.net/bugs/287256
You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu.



More information about the Ubuntu-server-bugs mailing list