[Bug 1668093] Re: ssh-keygen -H corrupts already hashed entries
Łukasz Zemczak
1668093 at bugs.launchpad.net
Thu Apr 6 11:11:21 UTC 2017
Hello Sarah, or anyone else affected,
Accepted openssh into yakkety-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/openssh/1:7.3p1-1ubuntu0.1 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed. In either case, details of your testing will help
us make a better decision.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!
** Changed in: openssh (Ubuntu Yakkety)
Status: Triaged => Fix Committed
** Tags added: verification-needed
** Changed in: openssh (Ubuntu Xenial)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1668093
Title:
ssh-keygen -H corrupts already hashed entries
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Xenial:
Fix Committed
Status in openssh source package in Yakkety:
Fix Committed
Status in openssh package in Debian:
Fix Released
Bug description:
[Impact]
* re-execution of ssh-keygen -H can clobber known-hosts
* Due to that users might get spurious re-warnings of known systems. For Automation it might be worse as it might stop to work when re-executed.
* This is a regression from Trusty (working) to Xenial (fail) upgrade
due to an upstream bug in the versions we merged.
* This is a backport of the upstream fix
[Test Case]
* Pick a Host IP to scan keys from that you can reach and replies with SSH, then run the following trivial loop:
$ ssh-keyscan ${IP} > ~/.ssh/known_hosts; for i in $(seq 1 20); do ssh-keygen -H; diff -Naur ~/.ssh/known_hosts.old ~/.ssh/known_hosts; done
* Expected: no diff reported, since already hashed entries should be left as-is
* Without fix: - diff in the hashes
[Regression Potential]
* The fix is upstream and soon in Debian as well, so we are not
custom diverting here.
* The risk should be minimal as this only changes ssh-keygen so
despite openssh being really critical this doesn't affect ssh itself
at all.
[Other Info]
* n/a
---
xenial @ 1:7.2p2-4ubuntu2.1 on amd64 has this bug. trusty @
1:6.6p1-2ubuntu2.8 on amd64 does not have this bug. I have not tested
any other ssh versions.
The following should reproduce the issue:
#ssh-keyscan XXXX > ~/.ssh/known_hosts
# ssh root at XXXXX
Permission denied (publickey).
# ssh-keygen -H
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
WARNING: /root/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
# ssh root at XXXXXX
Permission denied (publickey).
# ssh-keygen -H
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
WARNING: /root/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
# ssh root at XXXXX
The authenticity of host 'XXXXXX' can't be established.
RSA key fingerprint is XXXXXX.
Are you sure you want to continue connecting (yes/no)?
# diff known_hosts.old known_hosts
1c1
< |1|BoAbRpUE3F5AzyprJcbjdepeDh8=|x/1AcaLxh45FlShmVQnlgx2qjxY= XXXXX
---
> |1|nTPsoLxCugQyZi3pqOa2pc/cX64=|bUH5qwZlZPp8msMGHdLtslf3Huk= XXXXX
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1668093/+subscriptions
More information about the Ubuntu-sponsors
mailing list