> Please add a verification that your final purpose actually works to the Test Plan
Ok, I've added details how to test using Authd, linking to its documentation for all the setup details > OK, but there are cases where we recommend doing that, such as for HOTP/TOTP configuration: https://ubuntu.com/server/docs/openssh-server. Maybe it's worth adding to the Test Plan to ensure that those steps still work? Done > Please could you add steps on how you specifically intend to do this to the Test Plan? Banners added too 0) IIRC one of the reviewers of the MR was part of the security team at the time it was reviewed 1) Yep, that's definitely something that I should also propose upstream, although that's something that as said SSHd didn't care so far yet. 2) This is something to test, however the characters we care about here are in a group that should generally be available everywhere (even in very limited terminals character sets). ** Description changed: [ Impact ] Non-ascii visible chars (including back-slashes, new lines and so) are not properly rendered by clients, showing their octal visualization. Such as: Hello SSHD \\ We love \360\237\215\225! Instead of: Hello SSHD \ We love 🍕! This is particularly an issue when a server has configured keyboard interactive authentication and a PAM module wants to show non-ASCII characters such as a QR code for web authentication: When using an ubuntu server running authd for web authentication we may end up having the login qrcode rendered such as \210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210 https://ubuntu.com 1337 Which is clearly unreadable. [ Test case ] ## Server preparation Enable PAM and keyboard interactive authentication in a ssh server: Add a configuration file such as: /etc/ssh/sshd_config.d/test-ssh-pam.conf Containing: UsePAM yes - KbdInteractiveAuthentication yes - # This was working already; here to check potential regressions + KbdInteractiveAuthentication yes# This was working already; here to check potential regressions ForceCommand bash -c "echo Hello from SSHD \ We also love 🍕!; $SHELL" It's also suggested to check for regressions using a `Banner` option in sshd, pointing to a file with utf-8 contents. Restart the server: sudo systemctl restart ssh.service Edit the sshd PAM configuration file, adding as first line: auth requisite pam_echo.so Hello SSHD \ We love 🍕! Can be done with the command: sudo sed '1 iauth requisite pam_echo.so Hello SSHD! \\ We love 🍕!' \ -i /etc/pam.d/sshd ## Client test In the same host: ssh -o PubkeyAuthentication=no \ -o PasswordAuthentication=no \ -o PreferredAuthentications=keyboard-interactive \ $USER@localhost The client should show: Hello SSHD \ We love 🍕! ($USER@localhost) Password: ... Hello from SSHD \ We also love 🍕! Retry the same with another host and without keyboard authentication enabled in the server side. To verify the fix in more complex scenario it's possible to follow the instructions of configuring authd: - - https://github.com/ubuntu/authd/wiki/05--How%E2%80%90to-log-in-over-SSH + - https://github.com/ubuntu/authd/wiki/05--How%E2%80%90to-log-in-over-SSH Once authd is configured, the user should be able to scan a QrCode from a ssh session. ## Cleanup Revert the changes done in the cleanup phase, after test is done sudo sed '/pam_echo\.so/d' -i /etc/pam.d/sshd sudo rm /etc/ssh/sshd_config.d/test-ssh-pam.conf + # Further testing + + It's also required to check if other configurations using keyboard + interactive such as TOTP/HOTP access still work: + + https://ubuntu.com/server/docs/openssh-server#two-factor-authentication- + with-totphotp + [ Regression potential ] SSH info messages are not shown by the client. Even though those aren't covered by this change, it's important to check for regressions in any output that SSH exposes to the user. So banners and other messages should be checked for regressions. These kind of messages are normally shown only when PAM *and* keyboard interaction are enabled in the server side, so it should not affect the default ubuntu servers behavior. ** Description changed: [ Impact ] Non-ascii visible chars (including back-slashes, new lines and so) are not properly rendered by clients, showing their octal visualization. Such as: Hello SSHD \\ We love \360\237\215\225! Instead of: Hello SSHD \ We love 🍕! This is particularly an issue when a server has configured keyboard interactive authentication and a PAM module wants to show non-ASCII characters such as a QR code for web authentication: When using an ubuntu server running authd for web authentication we may end up having the login qrcode rendered such as \210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210 https://ubuntu.com 1337 Which is clearly unreadable. [ Test case ] ## Server preparation Enable PAM and keyboard interactive authentication in a ssh server: Add a configuration file such as: /etc/ssh/sshd_config.d/test-ssh-pam.conf Containing: - UsePAM yes - KbdInteractiveAuthentication yes# This was working already; here to check potential regressions - ForceCommand bash -c "echo Hello from SSHD \ We also love 🍕!; $SHELL" + UsePAM yes + KbdInteractiveAuthentication yes# This was working already; here to check potential regressions + ForceCommand bash -c "echo Hello from SSHD \ We also love 🍕!; $SHELL" It's also suggested to check for regressions using a `Banner` option in - sshd, pointing to a file with utf-8 contents. + sshd, pointing to a file with utf-8 contents: + + echo "Hello" | qrencode -t ansiutf8 > /tmp/ssh-banner + Banner /tmp/ssh-banner Restart the server: sudo systemctl restart ssh.service Edit the sshd PAM configuration file, adding as first line: auth requisite pam_echo.so Hello SSHD \ We love 🍕! Can be done with the command: sudo sed '1 iauth requisite pam_echo.so Hello SSHD! \\ We love 🍕!' \ -i /etc/pam.d/sshd ## Client test In the same host: ssh -o PubkeyAuthentication=no \ -o PasswordAuthentication=no \ -o PreferredAuthentications=keyboard-interactive \ $USER@localhost The client should show: Hello SSHD \ We love 🍕! ($USER@localhost) Password: ... Hello from SSHD \ We also love 🍕! Retry the same with another host and without keyboard authentication enabled in the server side. To verify the fix in more complex scenario it's possible to follow the instructions of configuring authd: - https://github.com/ubuntu/authd/wiki/05--How%E2%80%90to-log-in-over-SSH Once authd is configured, the user should be able to scan a QrCode from a ssh session. ## Cleanup Revert the changes done in the cleanup phase, after test is done sudo sed '/pam_echo\.so/d' -i /etc/pam.d/sshd sudo rm /etc/ssh/sshd_config.d/test-ssh-pam.conf # Further testing It's also required to check if other configurations using keyboard interactive such as TOTP/HOTP access still work: https://ubuntu.com/server/docs/openssh-server#two-factor-authentication- with-totphotp [ Regression potential ] SSH info messages are not shown by the client. Even though those aren't covered by this change, it's important to check for regressions in any output that SSH exposes to the user. So banners and other messages should be checked for regressions. These kind of messages are normally shown only when PAM *and* keyboard interaction are enabled in the server side, so it should not affect the default ubuntu servers behavior. ** Description changed: [ Impact ] Non-ascii visible chars (including back-slashes, new lines and so) are not properly rendered by clients, showing their octal visualization. Such as: Hello SSHD \\ We love \360\237\215\225! Instead of: Hello SSHD \ We love 🍕! This is particularly an issue when a server has configured keyboard interactive authentication and a PAM module wants to show non-ASCII characters such as a QR code for web authentication: When using an ubuntu server running authd for web authentication we may end up having the login qrcode rendered such as \210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210 https://ubuntu.com 1337 Which is clearly unreadable. [ Test case ] ## Server preparation Enable PAM and keyboard interactive authentication in a ssh server: Add a configuration file such as: /etc/ssh/sshd_config.d/test-ssh-pam.conf Containing: - UsePAM yes - KbdInteractiveAuthentication yes# This was working already; here to check potential regressions - ForceCommand bash -c "echo Hello from SSHD \ We also love 🍕!; $SHELL" + UsePAM yes + KbdInteractiveAuthentication yes# This was working already; here to check potential regressions + ForceCommand bash -c "echo Hello from SSHD \ We also love 🍕!; $SHELL" It's also suggested to check for regressions using a `Banner` option in sshd, pointing to a file with utf-8 contents: - echo "Hello" | qrencode -t ansiutf8 > /tmp/ssh-banner - Banner /tmp/ssh-banner + echo "Hello" | qrencode -t ansiutf8 > /tmp/ssh-banner + Banner /tmp/ssh-banner Restart the server: sudo systemctl restart ssh.service Edit the sshd PAM configuration file, adding as first line: auth requisite pam_echo.so Hello SSHD \ We love 🍕! Can be done with the command: sudo sed '1 iauth requisite pam_echo.so Hello SSHD! \\ We love 🍕!' \ -i /etc/pam.d/sshd ## Client test In the same host: ssh -o PubkeyAuthentication=no \ -o PasswordAuthentication=no \ -o PreferredAuthentications=keyboard-interactive \ $USER@localhost The client should show: Hello SSHD \ We love 🍕! ($USER@localhost) Password: ... Hello from SSHD \ We also love 🍕! Retry the same with another host and without keyboard authentication enabled in the server side. To verify the fix in more complex scenario it's possible to follow the instructions of configuring authd: - https://github.com/ubuntu/authd/wiki/05--How%E2%80%90to-log-in-over-SSH Once authd is configured, the user should be able to scan a QrCode from a ssh session. ## Cleanup Revert the changes done in the cleanup phase, after test is done sudo sed '/pam_echo\.so/d' -i /etc/pam.d/sshd sudo rm /etc/ssh/sshd_config.d/test-ssh-pam.conf # Further testing It's also required to check if other configurations using keyboard interactive such as TOTP/HOTP access still work: https://ubuntu.com/server/docs/openssh-server#two-factor-authentication- with-totphotp + # Authd testing + + - Configurand install authd and MsEntraID broker as described at: + https://github.com/ubuntu/authd/wiki/01---Get-started-with-authd + + - Configure SSHd and try to login using the Qrcode as documented at + https://github.com/ubuntu/authd/wiki/05--How%E2%80%90to-log-in-over-SSH + [ Regression potential ] SSH info messages are not shown by the client. Even though those aren't covered by this change, it's important to check for regressions in any output that SSH exposes to the user. So banners and other messages should be checked for regressions. These kind of messages are normally shown only when PAM *and* keyboard interaction are enabled in the server side, so it should not affect the default ubuntu servers behavior. ** Description changed: [ Impact ] Non-ascii visible chars (including back-slashes, new lines and so) are not properly rendered by clients, showing their octal visualization. Such as: Hello SSHD \\ We love \360\237\215\225! Instead of: Hello SSHD \ We love 🍕! This is particularly an issue when a server has configured keyboard interactive authentication and a PAM module wants to show non-ASCII characters such as a QR code for web authentication: When using an ubuntu server running authd for web authentication we may end up having the login qrcode rendered such as \210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210 https://ubuntu.com 1337 Which is clearly unreadable. [ Test case ] ## Server preparation Enable PAM and keyboard interactive authentication in a ssh server: Add a configuration file such as: /etc/ssh/sshd_config.d/test-ssh-pam.conf Containing: UsePAM yes KbdInteractiveAuthentication yes# This was working already; here to check potential regressions ForceCommand bash -c "echo Hello from SSHD \ We also love 🍕!; $SHELL" It's also suggested to check for regressions using a `Banner` option in sshd, pointing to a file with utf-8 contents: echo "Hello" | qrencode -t ansiutf8 > /tmp/ssh-banner Banner /tmp/ssh-banner Restart the server: sudo systemctl restart ssh.service Edit the sshd PAM configuration file, adding as first line: auth requisite pam_echo.so Hello SSHD \ We love 🍕! Can be done with the command: sudo sed '1 iauth requisite pam_echo.so Hello SSHD! \\ We love 🍕!' \ -i /etc/pam.d/sshd ## Client test In the same host: ssh -o PubkeyAuthentication=no \ -o PasswordAuthentication=no \ -o PreferredAuthentications=keyboard-interactive \ $USER@localhost The client should show: Hello SSHD \ We love 🍕! ($USER@localhost) Password: ... Hello from SSHD \ We also love 🍕! Retry the same with another host and without keyboard authentication enabled in the server side. To verify the fix in more complex scenario it's possible to follow the instructions of configuring authd: - https://github.com/ubuntu/authd/wiki/05--How%E2%80%90to-log-in-over-SSH Once authd is configured, the user should be able to scan a QrCode from a ssh session. ## Cleanup Revert the changes done in the cleanup phase, after test is done sudo sed '/pam_echo\.so/d' -i /etc/pam.d/sshd sudo rm /etc/ssh/sshd_config.d/test-ssh-pam.conf # Further testing It's also required to check if other configurations using keyboard interactive such as TOTP/HOTP access still work: https://ubuntu.com/server/docs/openssh-server#two-factor-authentication- with-totphotp # Authd testing - Configurand install authd and MsEntraID broker as described at: - https://github.com/ubuntu/authd/wiki/01---Get-started-with-authd + https://github.com/ubuntu/authd/wiki/01---Get-started-with-authd - Configure SSHd and try to login using the Qrcode as documented at - https://github.com/ubuntu/authd/wiki/05--How%E2%80%90to-log-in-over-SSH + https://github.com/ubuntu/authd/wiki/05--How%E2%80%90to-log-in-over-SSH + + - Accessing via SSH to a machine via QrCode should show a properly rendered + qrcode [ Regression potential ] SSH info messages are not shown by the client. Even though those aren't covered by this change, it's important to check for regressions in any output that SSH exposes to the user. So banners and other messages should be checked for regressions. These kind of messages are normally shown only when PAM *and* keyboard interaction are enabled in the server side, so it should not affect the default ubuntu servers behavior. ** Description changed: [ Impact ] Non-ascii visible chars (including back-slashes, new lines and so) are not properly rendered by clients, showing their octal visualization. Such as: Hello SSHD \\ We love \360\237\215\225! Instead of: Hello SSHD \ We love 🍕! This is particularly an issue when a server has configured keyboard interactive authentication and a PAM module wants to show non-ASCII characters such as a QR code for web authentication: When using an ubuntu server running authd for web authentication we may end up having the login qrcode rendered such as \210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210 https://ubuntu.com 1337 Which is clearly unreadable. [ Test case ] ## Server preparation Enable PAM and keyboard interactive authentication in a ssh server: Add a configuration file such as: /etc/ssh/sshd_config.d/test-ssh-pam.conf Containing: UsePAM yes KbdInteractiveAuthentication yes# This was working already; here to check potential regressions ForceCommand bash -c "echo Hello from SSHD \ We also love 🍕!; $SHELL" It's also suggested to check for regressions using a `Banner` option in sshd, pointing to a file with utf-8 contents: echo "Hello" | qrencode -t ansiutf8 > /tmp/ssh-banner Banner /tmp/ssh-banner Restart the server: sudo systemctl restart ssh.service Edit the sshd PAM configuration file, adding as first line: auth requisite pam_echo.so Hello SSHD \ We love 🍕! Can be done with the command: sudo sed '1 iauth requisite pam_echo.so Hello SSHD! \\ We love 🍕!' \ -i /etc/pam.d/sshd ## Client test In the same host: ssh -o PubkeyAuthentication=no \ -o PasswordAuthentication=no \ -o PreferredAuthentications=keyboard-interactive \ $USER@localhost The client should show: Hello SSHD \ We love 🍕! ($USER@localhost) Password: ... Hello from SSHD \ We also love 🍕! + █████████████████████████████ + █████████████████████████████ + ████ ▄▄▄▄▄ █▀█ █ █ ▄▄▄▄▄ ████ + ████ █ █ █▄█▄▄▀█ █ █ ████ + ████ █▄▄▄█ █ ▄▄█ █▄▄▄█ ████ + ████▄▄▄▄▄▄▄█ █▄█▄█▄▄▄▄▄▄▄████ + ████ █▄▀▀▄ █▀▄ ▄▀▄ ▄█▄ ▀████ + ████ ██▀▀ ▄▀▀▄▀▄▀▀ ▄▀ ████ + ████▄▄▄▄██▄▄ █▄█ ▀█▀██████ + ████ ▄▄▄▄▄ █▄▀▀▄▄█ ▀ ▄▄ ▀████ + ████ █ █ █▀█▀█▄ ▀▄▀▀▀ ████ + ████ █▄▄▄█ █▀ ▄ ▀▄▄█▄█▄█▄████ + ████▄▄▄▄▄▄▄█▄▄███▄█▄█▄█▄█████ + █████████████████████████████ + █████████████████████████████ - Retry the same with another host and without keyboard authentication - enabled in the server side. + + Retry the same with another host and without keyboard authentication enabled in the server side. To verify the fix in more complex scenario it's possible to follow the instructions of configuring authd: - https://github.com/ubuntu/authd/wiki/05--How%E2%80%90to-log-in-over-SSH Once authd is configured, the user should be able to scan a QrCode from a ssh session. ## Cleanup Revert the changes done in the cleanup phase, after test is done sudo sed '/pam_echo\.so/d' -i /etc/pam.d/sshd sudo rm /etc/ssh/sshd_config.d/test-ssh-pam.conf # Further testing It's also required to check if other configurations using keyboard interactive such as TOTP/HOTP access still work: https://ubuntu.com/server/docs/openssh-server#two-factor-authentication- with-totphotp # Authd testing - Configurand install authd and MsEntraID broker as described at: https://github.com/ubuntu/authd/wiki/01---Get-started-with-authd - Configure SSHd and try to login using the Qrcode as documented at https://github.com/ubuntu/authd/wiki/05--How%E2%80%90to-log-in-over-SSH - Accessing via SSH to a machine via QrCode should show a properly rendered - qrcode + qrcode [ Regression potential ] SSH info messages are not shown by the client. Even though those aren't covered by this change, it's important to check for regressions in any output that SSH exposes to the user. So banners and other messages should be checked for regressions. These kind of messages are normally shown only when PAM *and* keyboard interaction are enabled in the server side, so it should not affect the default ubuntu servers behavior. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2077576 Title: SSH client doesn't handle properly non-ASCII chars To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2077576/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
