Ubuntu
openssh package

Merge ~kajiya/ubuntu/+source/openssh:lp1952421-sshd-matching-certs into ubuntu/+source/openssh:ubuntu/hirsute-devel

  1. Git
  2. lp:~kajiya/ubuntu/+source/openssh
  3. lp1952421-sshd-matching-certs
  4. Merge into ubuntu/hirsute-devel
Proposed by Chloé Smith
Status: Merged
Merged at revision: 1e5a2f97881c0f4e5baaf1ab988a226b72340512
Proposed branch: ~kajiya/ubuntu/+source/openssh:lp1952421-sshd-matching-certs
Merge into: ubuntu/+source/openssh:ubuntu/hirsute-devel
Diff against target: 61 lines (+39/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/match-host-certs-w-public-keys.patch (+30/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Utkarsh Gupta (community) Approve
Canonical Server packageset reviewers Pending
Review via email: mp+412663@code.launchpad.net

Description of the change

This fixes LP: #1952421, as requested by one of the cloud partners. This has already been fixed upstream and is just a trivial backport of the same.

## Tests ##

sbuild results

+------------------------------------------------------------------------------+
| Summary |
+------------------------------------------------------------------------------+

Build Architecture: amd64
Build Type: full
Build-Space: 127248
Build-Time: 349
Distribution: hirsute
Host Architecture: amd64
Install-Time: 85
Job: ../openssh_8.4p1-5ubuntu1.2.dsc
Lintian: warn
Machine Architecture: amd64
Package: openssh
Package-Time: 517
Source-Version: 1:8.4p1-5ubuntu1.2
Space: 127248
Status: successful
Version: 1:8.4p1-5ubuntu1.2
--------------------------------------------------------------------------------

``autopkgtest results``

Removing files ...
Removing user `openssh-tests' ...
Warning: group `openssh-tests' has no more members.
Done.
autopkgtest [22:58:41]: test regress: -----------------------]
autopkgtest [22:58:42]: test regress: - - - - - - - - - - results - - - - - - - - - -
regress PASS
autopkgtest [22:58:43]: @@@@@@@@@@@@@@@@@@@@ summary
regress PASS

To post a comment you must log in.
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hello,

This looks great! Thank you very much! Just two comments and I can sponsor this upload! :D

review: Needs Information
Revision history for this message
Chloé Smith (kajiya) wrote :

@utkarsh thanks for the tips :D Would you like me to squash the last 2 commits?

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hey,

All looks good now, thank you!

As for squashing: that's up to you, really. It's not a necessity but maybe a good idea, I guess? We generally try to keep the commits precise and try to squash the similar ones. But it's a personal preference, too. So your call. :D

Let me know about this and I can sponsor this directly.

review: Approve
Revision history for this message
Chloé Smith (kajiya) wrote :

Hey @utkarsh!

In that case then I won't squash if that's okay :)
IMHO squashing isn't always the best purely because you sometimes loose the flow of the conversation/workflow. I only offered on the off chance you guys find it mandatory - so feel free to sponsor straight away :D

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Thank you, Chloe. Sponsored the upload as-is:

$ dput ubuntu ../openssh_8.4p1-5ubuntu1.2_source.changes
Checking signature on .changes
gpg: ../openssh_8.4p1-5ubuntu1.2_source.changes: Valid signature from 823E967606C34B96
Checking signature on .dsc
gpg: ../openssh_8.4p1-5ubuntu1.2.dsc: Valid signature from 823E967606C34B96
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openssh_8.4p1-5ubuntu1.2.dsc: done.
  Uploading openssh_8.4p1.orig.tar.gz: done.
  Uploading openssh_8.4p1-5ubuntu1.2.debian.tar.xz: done.
  Uploading openssh_8.4p1-5ubuntu1.2_source.buildinfo: done.
  Uploading openssh_8.4p1-5ubuntu1.2_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 25b1143..48ea7e6 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+openssh (1:8.4p1-5ubuntu1.2) hirsute; urgency=medium
7+
8+ * d/p/match-host-certs-w-public-keys.patch: Add patch
9+ to match host certificates agianst host public keys.
10+ (LP: #1952421)
11+
12+ -- Chloé S <chloe.smith@canonical.com> Wed, 01 Dec 2021 14:12:42 +0000
13+
14 openssh (1:8.4p1-5ubuntu1.1) hirsute; urgency=medium
15
16 * d/systemd/ssh@.service: preserve the systemd managed runtime directory to
17diff --git a/debian/patches/match-host-certs-w-public-keys.patch b/debian/patches/match-host-certs-w-public-keys.patch
18new file mode 100644
19index 0000000..98c1f04
20--- /dev/null
21+++ b/debian/patches/match-host-certs-w-public-keys.patch
22@@ -0,0 +1,30 @@
23+Description: Match host certificates against host public keys
24+ not private keys. Allows use of certificates with private keys
25+ held in a ssh-agent.
26+Origin: upstream
27+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3254
28+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421
29+Forwarded: not-needed
30+Applied-Upstream: https://github.com/openssh/openssh-portable/commit/530739d4
31+
32+From 530739d42f6102668aecd699be0ce59815c1eceb Mon Sep 17 00:00:00 2001
33+From: "djm@openbsd.org" <djm@openbsd.org>
34+Date: Sun, 6 Jun 2021 11:34:16 +0000
35+Reported by Miles Zhou in bz3524; ok dtucker@
36+OpenBSD-Commit-ID: 25f5bf70003126d19162862d9eb380bf34bac22a
37+
38+---
39+ sshd.c | 4 ++--
40+ 1 file changed, 2 insertions(+), 2 deletions(-)
41+
42+--- a/sshd.c
43++++ b/sshd.c
44+@@ -1945,7 +1945,7 @@
45+ /* Find matching private key */
46+ for (j = 0; j < options.num_host_key_files; j++) {
47+ if (sshkey_equal_public(key,
48+- sensitive_data.host_keys[j])) {
49++ sensitive_data.host_pubkeys[j])) {
50+ sensitive_data.host_certificates[j] = key;
51+ break;
52+ }
53diff --git a/debian/patches/series b/debian/patches/series
54index 9566a01..639825f 100644
55--- a/debian/patches/series
56+++ b/debian/patches/series
57@@ -29,3 +29,4 @@ ssh-agent-double-free.patch
58 0f90440ca70abab947acbd77795e9f130967956c.patch
59 2e0beff67def2120f4b051b1016d7fbf84823e78.patch
60 1bb130ed34721d46452529d094d9bbf045607d79.patch
61+match-host-certs-w-public-keys.patch

Subscribers

People subscribed via source and target branches