Ubuntu
openssh package

Merge ~kajiya/ubuntu/+source/openssh:lp1952421-sshd-matching-certs-focal into ubuntu/+source/openssh:ubuntu/focal-devel

  1. Git
  2. lp:~kajiya/ubuntu/+source/openssh
  3. lp1952421-sshd-matching-certs-focal
  4. Merge into ubuntu/focal-devel
Proposed by Chloé Smith
Status: Work in progress
Proposed branch: ~kajiya/ubuntu/+source/openssh:lp1952421-sshd-matching-certs-focal
Merge into: ubuntu/+source/openssh:ubuntu/focal-devel
Diff against target: 61 lines (+39/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/match-host-certs-w-public-keys.patch (+30/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Utkarsh Gupta (community) Approve
Review via email: mp+412723@code.launchpad.net

Description of the change

sbuild results

+------------------------------------------------------------------------------+
| Post Build |
+------------------------------------------------------------------------------+

+------------------------------------------------------------------------------+
| Cleanup |
+------------------------------------------------------------------------------+

Purging /<<BUILDDIR>>
Not cleaning session: cloned chroot in use

+------------------------------------------------------------------------------+
| Summary |
+------------------------------------------------------------------------------+

Build Architecture: amd64
Build Type: full
Build-Space: 153028
Build-Time: 471
Distribution: focal
Host Architecture: amd64
Install-Time: 77
Job: /home/kajiya/Desktop/sruu/openssh_8.2p1-4ubuntu0.4.dsc
Lintian: fail
Machine Architecture: amd64
Package: openssh
Package-Time: 659
Source-Version: 1:8.2p1-4ubuntu0.4
Space: 153028
Status: successful
Version: 1:8.2p1-4ubuntu0.4
--------------------------------------------------------------------------------
Finished at 2021-12-02T22:54:44Z
Build needed 00:10:59, 153028k disk space

To post a comment you must log in.
Revision history for this message
Chloé Smith (kajiya) wrote :
Download full text (3.3 KiB)

@utkarsh

Soooo we have an error when we run autopkgtest :S

```````````````````````````````````````
autopkgtest [23:04:01]: testing package openssh version 1:8.2p1-4ubuntu0.4
autopkgtest [23:04:01]: build not needed
autopkgtest [23:04:45]: test regress: preparing testbed
Get:1 file:/tmp/autopkgtest.rmLHnm/binaries InRelease
Ign:1 file:/tmp/autopkgtest.rmLHnm/binaries InRelease
Get:2 file:/tmp/autopkgtest.rmLHnm/binaries Release [816 B]
Get:2 file:/tmp/autopkgtest.rmLHnm/binaries Release [816 B]
Get:3 file:/tmp/autopkgtest.rmLHnm/binaries Release.gpg
Ign:3 file:/tmp/autopkgtest.rmLHnm/binaries Release.gpg
Get:4 file:/tmp/autopkgtest.rmLHnm/binaries Packages [9,796 B]
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
Starting pkgProblemResolver with broken count: 3
Starting 2 pkgProblemResolver with broken count: 3
Investigating (0) openssh-client:amd64 < 1:8.2p1-4ubuntu0.3 -> 1:8.4p1-5ubuntu1.2 @ii pumU Ib >
Broken openssh-client:amd64 Depends on libc6:amd64 < 2.31-0ubuntu9.2 @ii mK > (>= 2.33)
Broken openssh-client:amd64 Depends on libfido2-1:amd64 < 1.3.1-1ubuntu2 @ii mK > (>= 1.5.0)
Broken openssh-client:amd64 Depends on libselinux1:amd64 < 3.0-1build2 @ii mK > (>= 3.1~)
Investigating (0) openssh-server:amd64 < 1:8.2p1-4ubuntu0.3 -> 1:8.4p1-5ubuntu1.2 @ii pumU Ib >
Broken openssh-server:amd64 Depends on libc6:amd64 < 2.31-0ubuntu9.2 @ii mK > (>= 2.33)
Broken openssh-server:amd64 Depends on libselinux1:amd64 < 3.0-1build2 @ii mK > (>= 3.1~)
Investigating (0) openssh-sftp-server:amd64 < 1:8.2p1-4ubuntu0.3 -> 1:8.4p1-5ubuntu1.2 @ii pumU Ib >
Broken openssh-sftp-server:amd64 Depends on libc6:amd64 < 2.31-0ubuntu9.2 @ii mK > (>= 2.33)
Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 openssh-client : Depends: libc6 (>= 2.33) but 2.31-0ubuntu9.2 is to be installed
                  Depends: libfido2-1 (>= 1.5.0) but 1.3.1-1ubuntu2 is to be installed
                  Depends: libselinux1 (>= 3.1~) but 3.0-1build2 is to be installed
 openssh-server : Depends: libc6 (>= 2.33) but 2.31-0ubuntu9.2 is to be installed
                  Depends: libselinux1 (>= 3.1~) but 3.0-1build2 is to be installed
 openssh-sftp-server : Depends: libc6 (>= 2.33) but 2.31-0ubuntu9.2 is to be installed
W: --force-yes is deprecated, use one of the options starting with --allow instead.
E: Unable to correct problems, you have held broken packages.
blame: arg:../openssh-client_8.2p1-4ubuntu0.4_amd64.deb deb:openssh-client arg:../openssh-client_8.4p1-5ubuntu1.2_amd64.deb deb:openssh-client arg:../openssh-server_8.2p1-4ubuntu0.4_amd64.deb deb:opens.
badpkg: installation of basic binaries failed, exit code 100
autopkgtest [23:04:49]: ERROR: erroneous package: installation of basic binaries failed, exit code 100
qemu-system-x86_64: terminating on signal 15 from pid 284096 (/usr/bin/python3)

````````````````````````````...

Read more...

Reply
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi Chloe,

> I'm assuming this is because it doesn't like the version
> I incremented using dch -i (1:8.2p1-4ubuntu0.4), but I'm
> not sure how to proceed. Any advice would be appreciated :D

Oh no, you did everything well! The version increment is absolutely correct and so is everything else (though a minor nitpick mentioned below in comments).

I've gone through your trace above and I feel that you're running this autopkgtest for another suite. I mean, either the debs produced are for Hirsute and you're running them in the Focal image or the other way round. But that said, I could build the package successfully and ran all the autopkgtests, too, via `autopkgtest -U -s --apt-pocket=proposed -B ../*.deb -- qemu ~/ubuntu/images/autopkgtest-focal-amd64.img` and here are the results:

autopkgtest [17:14:46]: test regress: -----------------------]
autopkgtest [17:14:47]: test regress: - - - - - - - - - - results - - - - - - - - - -
regress PASS
autopkgtest [17:14:47]: @@@@@@@@@@@@@@@@@@@@ summary
regress PASS

..and so since everything else looks good, I've sponsored this upload as well:
$ dput ubuntu ../openssh_8.2p1-4ubuntu0.4_source.changes
Checking signature on .changes
gpg: ../openssh_8.2p1-4ubuntu0.4_source.changes: Valid signature from 823E967606C34B96
Checking signature on .dsc
gpg: ../openssh_8.2p1-4ubuntu0.4.dsc: Valid signature from 823E967606C34B96
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openssh_8.2p1-4ubuntu0.4.dsc: done.
  Uploading openssh_8.2p1.orig.tar.gz: done.
  Uploading openssh_8.2p1-4ubuntu0.4.debian.tar.xz: done.
  Uploading openssh_8.2p1-4ubuntu0.4_source.buildinfo: done.
  Uploading openssh_8.2p1-4ubuntu0.4_source.changes: done.
Successfully uploaded packages.

review: Approve
Reply

Unmerged commits

96e7637... by Chloé Smith

* Update d/ch for 1:8.2p1-4ubuntu0.4 release

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index c7904a4..1a9555f 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+openssh (1:8.2p1-4ubuntu0.4) focal; urgency=medium
7+
8+ * d/p/match-host-certs-w-public-keys.patch: Add patch
9+ to match host certificates agianst host public keys.
10+ (LP: #1952421
11+
12+ -- Chloé S <chloe.smith@canonical.com> Thu, 02 Dec 2021 22:38:52 +0000
13+
14 openssh (1:8.2p1-4ubuntu0.3) focal; urgency=medium
15
16 * d/systemd/ssh@.service: preserve the systemd managed runtime directory to
17diff --git a/debian/patches/match-host-certs-w-public-keys.patch b/debian/patches/match-host-certs-w-public-keys.patch
18new file mode 100644
19index 0000000..2f4d509
20--- /dev/null
21+++ b/debian/patches/match-host-certs-w-public-keys.patch
22@@ -0,0 +1,30 @@
23+Description: Match host certificates against host public keys
24+ not private keys. Allows use of certificates with private keys
25+ held in a ssh-agent.
26+Origin: upstream
27+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3254
28+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421
29+Forwarded: not-needed
30+Applied-Upstream: https://github.com/openssh/openssh-portable/commit/530739d4
31+
32+From 530739d42f6102668aecd699be0ce59815c1eceb Mon Sep 17 00:00:00 2001
33+From: "djm@openbsd.org" <djm@openbsd.org>
34+Date: Sun, 6 Jun 2021 11:34:16 +0000
35+Reported by Miles Zhou in bz3524; ok dtucker@
36+OpenBSD-Commit-ID: 25f5bf70003126d19162862d9eb380bf34bac22a
37+
38+---
39+ sshd.c | 4 ++--
40+ 1 file changed, 2 insertions(+), 2 deletions(-)
41+
42+--- a/sshd.c
43++++ b/sshd.c
44+@@ -1896,7 +1896,7 @@
45+ /* Find matching private key */
46+ for (j = 0; j < options.num_host_key_files; j++) {
47+ if (sshkey_equal_public(key,
48+- sensitive_data.host_keys[j])) {
49++ sensitive_data.host_pubkeys[j])) {
50+ sensitive_data.host_certificates[j] = key;
51+ break;
52+ }
53diff --git a/debian/patches/series b/debian/patches/series
54index b5b84a9..0d109af 100644
55--- a/debian/patches/series
56+++ b/debian/patches/series
57@@ -25,3 +25,4 @@ conch-old-privkey-format.patch
58 revert-ipqos-defaults.patch
59 lp-1876320-upstream-Do-not-call-process_queued_listen_addrs-for.patch
60 CVE-2021-28041.patch
61+match-host-certs-w-public-keys.patch

Subscribers

People subscribed via source and target branches