Ubuntu
openssh-blacklist package

Installing openssh-blacklist removes custom blacklist

Bug #702677 reported by Paul van Genderen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh-blacklist (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: openssh-blacklist

From ssh-vulnkey(1) in package openssh-client:

>/usr/share/ssh/blacklist.TYPE-LENGTH
> If present, lists the blacklisted keys of type TYPE (“RSA” or
> “DSA”) and bit length LENGTH. The format of this file is
> described above. RSA1 keys are converted to RSA before being
> checked in the blacklist. Note that the fingerprints of RSA1
> keys are computed differently, so you will not be able to find
> them in the blacklist by hand.
>
>/etc/ssh/blacklist.TYPE-LENGTH
> Same as /usr/share/ssh/blacklist.TYPE-LENGTH, but may be edited
> by the system administrator to add new blacklist entries.

I use this to blacklist (potentially) compromised or otherwise unwanted keys. This includes anyone whose account got removed (for whatever reason).

openssh-blacklist installs its list in the aforementioned /usr/share/ssh directory and has no configuration files. When a custom blacklist exists and this package is installed, it will move the file, e.g.:

>Obsolete conffile /etc/ssh/blacklist.RSA-2048 has been modified by you.
>Saving as /etc/ssh/blacklist.RSA-2048.dpkg-bak ...

These are the top two entries in the changelog:

>openssh-blacklist (0.4.1) unstable; urgency=low
>
> * debian/openssh-blacklist{,-extra}.preinst: Correctly clean up old
> /etc/ssh blacklist entries (Closes: 483549).
>
> -- Kees Cook <email address hidden> Thu, 29 May 2008 09:37:50 -0700
>
>openssh-blacklist (0.4) unstable; urgency=low
>
> * Relocate blacklists to /usr/share/ssh (Closes: #481283).
>
> -- Kees Cook <email address hidden> Wed, 28 May 2008 11:36:00 -0700

The fix of this bug ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483549 ) probably was correct back then; here's the same manual page as before but from 2008 (openssh-client 1:4.7p1-8ubuntu1.2):

>/etc/ssh/blacklist.TYPE-LENGTH
> If present, lists the blacklisted keys of type TYPE (“RSA1”, “RSA”, or “DSA”) and bit length LENGTH.
> The format of this file is described above.

It doesn't mention /usr/share/ssh, nor does it mention anything about editing this file. However, it seems the preinst script was never updated to reflect the new manual page. Likely because they aren't from the same package and these two packages have different maintainers. Furthermore, most Debian users are unlikely to be affected by this bug because the openssh packages on Debian recommend the blacklist packages rather then suggesting them (to free up CD space).

$ lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
$ apt-cache policy openssh-blacklist
openssh-blacklist:
  Geïnstalleerd: 0.4.1
  Kandidaat: 0.4.1
  Versietabel:
 *** 0.4.1 0
        500 http://nl.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.