First of all, I have changed the SRU description in 'Test Plan' section a bit,
to be more precisely. We could assume the fix didn't work if I would leave it
as it did before.
I've added information that we should look for the changes within the specific
area in the manpage, so the steps are obvious now.
Fix works, package 1:8.2p1-4ubuntu0.6 fixes the bug.
I've created the focal container using steps from the [Test Plan]
section listed above in the Bug Description and inside that container I
typed in:
$ apt policy openssh-server
The output:
Installed: 1:8.2p1-4ubuntu0.5
Candidate: 1:8.2p1-4ubuntu0.6
Version table:
1:8.2p1-4ubuntu0.6 500
500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
*** 1:8.2p1-4ubuntu0.5 500
500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
100 /var/lib/dpkg/status
1:8.2p1-4ubuntu0.2 500
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
1:8.2p1-4 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
Then I have typed in:
$ man sshd_config
and
$ man ssh_config
I've noticed that nothing has changed there. So the problem still
existed, because as we could see in the output, the package version was
not the one where the fix is.
Then I've upgraded both openssh-server and openssh-client using:
$ apt install openssh-server=1:8.2p1-4ubuntu0.6
$ apt install openssh-client=1:8.2p1-4ubuntu0.6
Later I've typed in:
$ apt policy openssh-server
to check if installed version is changed and we see that we have new version
installed (with fix)
Installed: 1:8.2p1-4ubuntu0.6
Candidate: 1:8.2p1-4ubuntu0.6
Version table:
*** 1:8.2p1-4ubuntu0.6 500
500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
100 /var/lib/dpkg/status
1:8.2p1-4ubuntu0.5 500
500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
1:8.2p1-4ubuntu0.2 500
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
1:8.2p1-4 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
Finally when I opened the manpage, typing:
$ man ssh_config
the problem did not exist, so the fix works.
** Tags removed: verification-needed-focal
** Tags added: verification-done-focal
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1871465
Title:
ssh_config(5) contains outdated information
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Focal:
Fix Committed
Status in openssh source package in Hirsute:
Won't Fix
Status in openssh source package in Impish:
Won't Fix
Bug description:
[Impact]
The problem here is straightforward.
The case is to fix manpages. They need to reflect a change done to the code
some time ago. That problem might be annoying for users before being fixed.
Backport upstream fix to Focal
Origin:
https://github.com/openssh/openssh-portable/commit/53ea05e09b04fd7b6dea66b42b34d65fe61b9636
[Test Plan]
Make a container for testing:
First option:
$ lxc launch ubuntu:focal focal-test
$ lxc shell focal-test
Simply install the openssh package using ‘apt install’ and check
ssh_config and sshd_config.
Acutal results:
1. Create a container using steps from above.
2. Type in man ssh_config and check that as well as the sshd_config.
3. You should spot the ssh-rsa entries in the manpage within the
CASignatureAlgorithms section.
Expected results:
1. Create a container using steps from above.
2. Type in man ssh_config and check that as well as the sshd_config.
3. You shouldn't spot the ssh-rsa entries in the manpage within the
CASignatureAlgorithms section.
[Where problems could occur]
Any code change might change the behavior of the package in a specific
situation and cause other errors.
Next things which might cause regression are new dependencies which
might not align and it is obvious the dependencies are upgraded and it
might be a problem, but it is really unlikely.
Even none of the rather generic cases above does apply here as we only
change non-functional content in the form of the man page; Therefore
the only risk is out of re-building the package which could pick up
something from e.g. a changed toolchain.
[Other Info]
Fixing this is nice for the users, but OTOH very low severity and
would cause a package download and update on almost every Ubuntu in
the world. Therefore we will mark this as block-proposed and keep it
in focal-proposed so that a later real update (security or functional)
will pick this up from -proposed and then fix it in the field for
real.
----------------------------original
report-------------------------------
The release of OpenSSH 8.2 has removed `ssh-rsa` from the default list
of CACertificateAlgorithms. However the latest `openssh-client` still
ships the man page for ssh_config(5) that contains the following
description:
CASignatureAlgorithms
Specifies which algorithms are allowed for signing of
certificates
by certificate authorities (CAs). The default is:
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
ssh(1) will not accept host certificates signed using algorithms
other than those specified.
As far as I am concerned, `ssh-rsa` should be dropped from the list so
as to match the behavior of ssh(1).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1871465/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
