First I checked if the change that got into Debian matches mine that I prepared for SRU - they do.
I triggered a local autopkgtest of pre/post SRU upload locally and while that was running evaluated the history of these tests in Ubuntu and Debian. It seems to fail in Debian just as much, while the former version was ok [1]. On Ubuntu the recent sync failed as well [2]. The output format of the regress test changed slightly, but the SRUs fail essentially at the same test that the last version does "didn't find find simple in hashed" (and similar). In the meantime my local Tests completed - and of course - they worked (once I want to find a case that is easy to debug). I need to go deeper to see what is going on now. But for now wanted to make clear that the Zesty sync is broken as well as outlined above. As expected it is haning in z-p [3] at the moment with that error. [1]: https://ci.debian.net/packages/o/openssh/unstable/amd64/ [2]: http://autopkgtest.ubuntu.com/packages/openssh/zesty/amd64 [3]: http://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1668093 Title: ssh-keygen -H corrupts already hashed entries Status in openssh package in Ubuntu: Fix Committed Status in openssh source package in Xenial: Triaged Status in openssh source package in Yakkety: Triaged Status in openssh package in Debian: Fix Released Bug description: [Impact] * re-execution of ssh-keygen -H can clobber known-hosts * Due to that users might get spurious re-warnings of known systems. For Automation it might be worse as it might stop to work when re-executed. * This is a regression from Trusty (working) to Xenial (fail) upgrade due to an upstream bug in the versions we merged. * This is a backport of the upstream fix [Test Case] * Pick a Host IP to scan keys from that you can reach and replies with SSH, then run the following trivial loop: $ ssh-keyscan ${IP} > ~/.ssh/known_hosts; for i in $(seq 1 20); do ssh-keygen -H; diff -Naur ~/.ssh/known_hosts.old ~/.ssh/known_hosts; done * Expected: no diff reported, since already hashed entries should be left as-is * Without fix: - diff in the hashes [Regression Potential] * The fix is upstream and soon in Debian as well, so we are not custom diverting here. * The risk should be minimal as this only changes ssh-keygen so despite openssh being really critical this doesn't affect ssh itself at all. [Other Info] * n/a --- xenial @ 1:7.2p2-4ubuntu2.1 on amd64 has this bug. trusty @ 1:6.6p1-2ubuntu2.8 on amd64 does not have this bug. I have not tested any other ssh versions. The following should reproduce the issue: #ssh-keyscan XXXX > ~/.ssh/known_hosts # ssh root@XXXXX Permission denied (publickey). # ssh-keygen -H /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old WARNING: /root/.ssh/known_hosts.old contains unhashed entries Delete this file to ensure privacy of hostnames # ssh root@XXXXXX Permission denied (publickey). # ssh-keygen -H /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old WARNING: /root/.ssh/known_hosts.old contains unhashed entries Delete this file to ensure privacy of hostnames # ssh root@XXXXX The authenticity of host 'XXXXXX' can't be established. RSA key fingerprint is XXXXXX. Are you sure you want to continue connecting (yes/no)? # diff known_hosts.old known_hosts 1c1 < |1|BoAbRpUE3F5AzyprJcbjdepeDh8=|x/1AcaLxh45FlShmVQnlgx2qjxY= XXXXX --- > |1|nTPsoLxCugQyZi3pqOa2pc/cX64=|bUH5qwZlZPp8msMGHdLtslf3Huk= XXXXX To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1668093/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
