Ubuntu
openssh package

Merge ~michal-maloszewski99/ubuntu/+source/openssh:mantic-openssh-lp2031942 into ubuntu/+source/openssh:ubuntu/devel

  1. Git
  2. lp:~michal-maloszewski99/ubuntu/+source/openssh
  3. mantic-openssh-lp2031942
  4. Merge into ubuntu/devel
Proposed by Michał Małoszewski
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 6a6f3968b85ebae91377523c545f799dfcba19d1
Proposed branch: ~michal-maloszewski99/ubuntu/+source/openssh:mantic-openssh-lp2031942
Merge into: ubuntu/+source/openssh:ubuntu/devel
Diff against target: 66 lines (+44/-0)
3 files modified
debian/changelog (+9/-0)
debian/patches/fix-authorized-principals-command.patch (+34/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Sergio Durigan Junior (community) Approve
Canonical Server Reporter Pending
Review via email: mp+449957@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-mantic-michal-maloszewski99-ppa-openssh-mantic-lp2031942/?format=plain)
  openssh @ amd64:
    http://autopkgtest.ubuntu.com/results/autopkgtest-mantic-michal-maloszewski99-ppa-openssh-mantic-lp2031942/mantic/amd64/o/openssh/20230824_225956_6f57b@/log.gz
    24.08.23 22:59:56 ✅ Triggers: openssh/1:9.3p1-1ubuntu3~ppa1
  openssh @ arm64:
    http://autopkgtest.ubuntu.com/results/autopkgtest-mantic-michal-maloszewski99-ppa-openssh-mantic-lp2031942/mantic/arm64/o/openssh/20230824_233617_e1c56@/log.gz
    24.08.23 23:36:17 ✅ Triggers: openssh/1:9.3p1-1ubuntu3~ppa1
  openssh @ ppc64el:
    http://autopkgtest.ubuntu.com/results/autopkgtest-mantic-michal-maloszewski99-ppa-openssh-mantic-lp2031942/mantic/ppc64el/o/openssh/20230824_224848_b01f8@/log.gz
    24.08.23 22:48:48 ✅ Triggers: openssh/1:9.3p1-1ubuntu3~ppa1
  openssh @ s390x:
    http://autopkgtest.ubuntu.com/results/autopkgtest-mantic-michal-maloszewski99-ppa-openssh-mantic-lp2031942/mantic/s390x/o/openssh/20230824_233826_27e9f@/log.gz
    24.08.23 23:38:26 ✅ Triggers: openssh/1:9.3p1-1ubuntu3~ppa1
Running: (none)
Waiting: (none)

Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Please review.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks, Michal.

LGTM. This actually fixes the bug. I suspect that the reason you are not able to verify is because the process is (much) more involved.

You have to set up the Authorized*Commands scripts making sure to set their permission bits exactly as openssh expects. You also need to configure openssh to authenticate users using signed keys with principals (see https://dmuth.medium.com/ssh-at-scale-cas-and-principals-b27edca3a5d which contains a good initial guide on how to do this). Finally, it's really important to declare AuthorizedKeysCommands *before* AuthorizedPrincipalCommands, otherwise the bug won't manifest due to the way the config file parsing is done.

After all that, you should be able to finally verify the bug manifesting, and also seeing it being fixed with the proposed change.

I'll go ahead and upload this one because it doesn't require an SRU text.

Uploaded:

$ dput openssh_9.3p1-1ubuntu3_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/openssh/openssh_9.3p1-1ubuntu3_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/openssh/openssh_9.3p1-1ubuntu3.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openssh_9.3p1-1ubuntu3.dsc: done.
  Uploading openssh_9.3p1-1ubuntu3.debian.tar.xz: done.
  Uploading openssh_9.3p1-1ubuntu3_source.buildinfo: done.
  Uploading openssh_9.3p1-1ubuntu3_source.changes: done.
Successfully uploaded packages.

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Ops, when I was writing the main comment I forgot about the minor nit I raised on d/changelog. Oh well, that's not really important, so it should be fine.

Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: sergiodj, michal-maloszewski99
Uploaders: sergiodj
MP auto-approved

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 478108f..240901f 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,12 @@
6+openssh (1:9.3p1-1ubuntu3) mantic; urgency=medium
7+
8+ * d/p/fix-authorized-principals-command.patch: Fix the situation where
9+ sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand
10+ is also set by checking if the value pointed to by the pointer
11+ 'charptr' is NULL. (LP: #2031942)
12+
13+ -- Michal Maloszewski <michal.maloszewski@canonical.com> Thu, 24 Aug 2023 15:20:27 +0200
14+
15 openssh (1:9.3p1-1ubuntu2) mantic; urgency=medium
16
17 * SECURITY UPDATE: remote code execution relating to PKCS#11 providers
18diff --git a/debian/patches/fix-authorized-principals-command.patch b/debian/patches/fix-authorized-principals-command.patch
19new file mode 100644
20index 0000000..9a41dc3
21--- /dev/null
22+++ b/debian/patches/fix-authorized-principals-command.patch
23@@ -0,0 +1,34 @@
24+From fcd78e31cdd45a7e69ccfe6d8a3b1037dc1de290 Mon Sep 17 00:00:00 2001
25+From: "djm@openbsd.org" <djm@openbsd.org>
26+Date: Wed, 24 May 2023 23:01:06 +0000
27+Subject: [PATCH] upstream: fix AuthorizedPrincipalsCommand when
28+ AuthorizedKeysCommand
29+
30+Origin: upstream, https://github.com/openssh/openssh-portable/commit/fcd78e31cdd45a7e69ccfe6d8a3b1037dc1de290
31+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3574
32+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2031942
33+Last-Update: 2023-08-24
34+---
35+ servconf.c | 4 ++--
36+ 1 file changed, 2 insertions(+), 2 deletions(-)
37+
38+diff --git a/servconf.c b/servconf.c
39+index 9d5b73ecfc0..0f4fd2f17e3 100644
40+--- a/servconf.c
41++++ b/servconf.c
42+@@ -1,5 +1,5 @@
43+
44+-/* $OpenBSD: servconf.c,v 1.392 2023/03/05 05:34:09 dtucker Exp $ */
45++/* $OpenBSD: servconf.c,v 1.393 2023/05/24 23:01:06 djm Exp $ */
46+ /*
47+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
48+ * All rights reserved
49+@@ -2403,7 +2403,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
50+ fatal("%.200s line %d: %s must be an absolute path",
51+ filename, linenum, keyword);
52+ }
53+- if (*activep && options->authorized_keys_command == NULL)
54++ if (*activep && *charptr == NULL)
55+ *charptr = xstrdup(str + len);
56+ argv_consume(&ac);
57+ break;
58diff --git a/debian/patches/series b/debian/patches/series
59index 6230ec4..6df52e3 100644
60--- a/debian/patches/series
61+++ b/debian/patches/series
62@@ -30,3 +30,4 @@ test-set-UsePAM-no-on-some-tests.patch
63 CVE-2023-38408-1.patch
64 CVE-2023-38408-2.patch
65 CVE-2023-38408-3.patch
66+fix-authorized-principals-command.patch

Subscribers

People subscribed via source and target branches