Bug#1001186: marked as done (ssh-agent: SSH_AUTH_SOCK temporary directory uses 6 template chars out of 12)

Sun, 08 Dec 2024 09:36:18 -0800 

Your message dated Sun, 08 Dec 2024 17:32:08 +0000
with message-id <e1tkl8a-00etiu...@fasolo.debian.org>
and subject line Bug#1001186: fixed in openssh 1:9.2p1-2+deb12u4
has caused the Debian Bug report #1001186,
regarding ssh-agent: SSH_AUTH_SOCK temporary directory uses 6 template chars 
out of 12
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1001186: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001186
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-client
Version: 1:8.7p1-2
Severity: minor
Tags: sid bookworm

Dear Maintainer,

I recently noticed on sid and testing, that when starting an
ssh-agent, the SSH_AUTH_SOCK is located in a temporary directory
which only has it's six last "X" in the template effectively set
random.  Here is an example of annotated output from testing:

        (testing-amd64-sbuild)$ ssh-agent | grep AUTH
        SSH_AUTH_SOCK=/tmp/ssh-XXXXXXTNMzUg/agent.1753865; export SSH_AUTH_SOCK;
                               ^^^^^^
        (testing-amd64-sbuild)$ ssh-agent | grep AUTH
        SSH_AUTH_SOCK=/tmp/ssh-XXXXXXwkcH8n/agent.1753867; export SSH_AUTH_SOCK;
                               ^^^^^^
        (testing-amd64-sbuild)$ ssh-agent | grep AUTH
        SSH_AUTH_SOCK=/tmp/ssh-XXXXXXMZou0x/agent.1753869; export SSH_AUTH_SOCK;
                               ^^^^^^
        (testing-amd64-sbuild)$ ssh-agent | grep AUTH
        SSH_AUTH_SOCK=/tmp/ssh-XXXXXXQQyooG/agent.1753871; export SSH_AUTH_SOCK;
                               ^^^^^^

Earlier versions of ssh-agent in Debian, such as the one
delivered in bullseye, do have effectively all X's from the
template set random:

        (bullseye-amd64-sbuild)$ ssh-agent | grep AUTH
        SSH_AUTH_SOCK=/tmp/ssh-6iy9xiW14kJD/agent.1754856; export SSH_AUTH_SOCK;
                               ^^^^^^
        (bullseye-amd64-sbuild)$ ssh-agent | grep AUTH
        SSH_AUTH_SOCK=/tmp/ssh-S8YSIDoV32GR/agent.1754858; export SSH_AUTH_SOCK;
                               ^^^^^^

The bookworm behavior is consistent with mkdtemp(3), which only
changes the last six XXXXXX of the template string, so I suppose
earlier versions were using another mkdtemp implementation to
create the temporary directory.  I don't believe the issue is a
big deal to be honest, but I think it might raise some eyebrows.

Thank you for taking the time to maintain openssh in Debian!

Have a nice day,  :)
Étienne.

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-2-amd64 (SMP w/12 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.118
ii  dpkg              1.20.9
ii  libc6             2.32-5
ii  libedit2          3.1-20210910-1
ii  libfido2-1        1.9.0-1
ii  libgssapi-krb5-2  1.18.3-7
ii  libselinux1       3.3-1+b1
ii  libssl1.1         1.1.1l-1
ii  passwd            1:4.8.1-2
ii  zlib1g            1:1.2.11.dfsg-2

Versions of packages openssh-client recommends:
ii  xauth  1:1.1-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- debconf-show failed

-- 
Étienne Mollier <emoll...@emlwks999.eu>
Fingerprint:  8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
Sent from /dev/pts/3, please excuse my verbosity.

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:9.2p1-2+deb12u4
Done: Colin Watson <cjwat...@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1001...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 08 Dec 2024 00:14:54 +0000
Source: openssh
Architecture: source
Version: 1:9.2p1-2+deb12u4
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-...@lists.debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Closes: 1001186 1041521 1064898 1088248 1088873
Changes:
 openssh (1:9.2p1-2+deb12u4) bookworm; urgency=medium
 .
   * Always use the internal mkdtemp implementation, since it substitutes
     more randomness into the template string than glibc's version (closes:
     #1001186, #1064898).
   * Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1
     (LP: #2053146).
   * Import ssh-gssapi autopkgtest from 1:9.8p1-4.
   * Don't prefer host-bound public key signatures if there was no initial
     host key, as is the case when using GSS-API key exchange (closes:
     #1041521, #1088248).
   * Make sntrup761x25519-sha512 key exchange algorithm available without the
     @openssh.com suffix too (closes: #1088873).
Checksums-Sha1:
 597fa49b49d9dda82d90268c16670fc865e186ed 3381 openssh_9.2p1-2+deb12u4.dsc
 2fa5f51f4b3809c26d0cde886f612f5d2068c507 194708 
openssh_9.2p1-2+deb12u4.debian.tar.xz
Checksums-Sha256:
 5d5a01fcbec9bd68db93b92e25a2384650a6ac6757652d5715e541ce6bae4df4 3381 
openssh_9.2p1-2+deb12u4.dsc
 99a63bad9ef447c0d890816c5f3a2b97d8dbded2e426f15614ee0526446c9c5f 194708 
openssh_9.2p1-2+deb12u4.debian.tar.xz
Files:
 0c49c9a37634dc32bf1d4bdb0be208be 3381 net standard openssh_9.2p1-2+deb12u4.dsc
 e7185ea5169385771fb700d807517480 194708 net standard 
openssh_9.2p1-2+deb12u4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmdU5VgACgkQOTWH2X2G
UAtK5Q/9HSD7BEQmHUstEDi0WeMggzCa7FbyzeeYwVFczrA1HTyF7Li/e7HlWgef
6rV8673GUOOPsIpR+GsM5rPKBIIyS7OsEJJlSH/920B9DuVgnCiGJF7cVOmEGfzR
cutPoMT+Kh0fh4xsfDocGudyr0LyKcbCUOUeivtda/V+s9Pezo0IRO6UqT1eDFL9
2qbKWI5B6Dz7HhDRv34muM54Wns8XElgywG0Nqf0BMTo5ejsN2d4ESIzV50KkbrZ
KpKqVLqZZktog3iPHB4BuZX/kRejN+Dzl7wcHdUo0c7ZA6c3OX3U1te4lppm0bGK
paaMVQZcZKtpdRyq1QuTFMN9dpgF4Xy8wsA8tY5E4i7P+txU+zcIi1MxTuLXsHXe
Z8znl/IsFNl33a/m47VOnDpxLl6RPd1gxCcF3YAdT/qb0P3FmCp1WxWWRP18wZwn
0IcgCPk9Qyq01AMD95DP4yr0QjpMGm4ng4t979Md7Cv0brVa96KCdYt6VHVEMpm3
gSlbFJp7+MWcOvz9iYaXqdtxJ9I7eMWuYJwHubLUz5nM6aEPruA6vFs8tRiZ/dff
5ZEWnxOiD3w5zd4yJ7PA04MPKO+YpmMZ6cWaOS1uLARcf4cSWbC08tlPbXzMmfx6
ba1huEL+OV6xBgYBthMrQ2YmXMgf07jOzZDBlFUYpO/YQLqUe08=
=Xyzw
-----END PGP SIGNATURE-----

Attachment: pgpjleTTlj5NG.pgp
Description: PGP signature


--- End Message ---

Reply via email to