Ubuntu
openssh package

ssh blacklisting of private keys 9.04_64

Bug #420813 reported by rlopez
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Similar to: 328127, 328445 348126

Three servers were installed using the same script to configure them after installing 9.04_64. In all ways they function identically except one of them is blacklisting some keys of some systems administrators. We all have had our keys for quite some time and these three systems are among hundreds of RHEL and Solaris servers where all the keys are working just fine.

The three servers are all HP ProLiant DL360 G5.
# dpkg -S /usr/sbin/sshd
openssh-server: /usr/sbin/sshd
# lsb_release -rd
Description: Ubuntu 9.04
Release: 9.04
# apt-cache policy openssh-server
openssh-server:
  Installed: 1:5.1p1-5ubuntu1
  Candidate: 1:5.1p1-5ubuntu1
  Version table:
 *** 1:5.1p1-5ubuntu1 0
        500 http://us.archive.ubuntu.com jaunty/main Packages
        100 /var/lib/dpkg/status

ssh-vulnkey -a lists the failing keys as blacklisted. Debugging confirms the keys are examined and not used.

Generating a new key on a Dell Optiplex GX620 results running 9.04 results NOT blacklisting, but login fails with a failure to sign key message and password option is not made available. Adding the old key back to authorized keys results in immediate blacklisting again.

Keys from non-Ubuntu systems have no problems. Only keys from Ubuntu (several recent versions) have been blacklisted.

There is no seahorse involved.

Revision history for this message
Colin Watson (cjwatson) wrote :

If your keys are being blacklisted, then, well ... they may appear to be working just fine, but everyone else on the planet can get the corresponding private keys with only a little bit of effort! You really do need to regenerate those keys. Any release of Ubuntu that's still within its support lifetime and that has all security updates applied will be fine. I'm afraid that I regard the security risk here as several orders of magnitude more serious than the inconvenience of needing to regenerate keys.

Whatever that signing failure is, it's unrelated to the blacklisting; it could easily be a configuration error due to confusion among multiple keys, or something. If you'd like to file that separately, with as much debugging information as possible, we can look into that.

See:

  http://www.ubuntu.com/usn/usn-612-2

Changed in openssh (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.