| 2023-08-18 18:55:53 |
Matthew Garrett |
bug |
|
|
added bug |
| 2023-08-18 18:55:53 |
Matthew Garrett |
attachment added |
|
fix-parsing.diff https://bugs.launchpad.net/bugs/2031942/+attachment/5693081/+files/fix-parsing.diff |
|
| 2023-08-18 18:57:05 |
Matthew Garrett |
bug watch added |
|
https://bugzilla.mindrot.org/show_bug.cgi?id=3574 |
|
| 2023-08-18 19:34:05 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
| 2023-08-18 19:34:07 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
| 2023-08-21 12:20:01 |
Athos Ribeiro |
openssh (Ubuntu): status |
New |
Triaged |
|
| 2023-08-21 12:21:32 |
Athos Ribeiro |
tags |
patch |
bitesize patch |
|
| 2023-08-21 12:21:47 |
Athos Ribeiro |
nominated for series |
|
Ubuntu Mantic |
|
| 2023-08-21 12:21:47 |
Athos Ribeiro |
bug task added |
|
openssh (Ubuntu Mantic) |
|
| 2023-08-21 12:21:47 |
Athos Ribeiro |
nominated for series |
|
Ubuntu Lunar |
|
| 2023-08-21 12:21:47 |
Athos Ribeiro |
bug task added |
|
openssh (Ubuntu Lunar) |
|
| 2023-08-21 12:21:47 |
Athos Ribeiro |
nominated for series |
|
Ubuntu Jammy |
|
| 2023-08-21 12:21:47 |
Athos Ribeiro |
bug task added |
|
openssh (Ubuntu Jammy) |
|
| 2023-08-21 12:22:11 |
Athos Ribeiro |
bug |
|
|
added subscriber Ubuntu Server |
| 2023-08-21 12:25:08 |
Athos Ribeiro |
tags |
bitesize patch |
bitesize patch server-todo |
|
| 2023-08-23 15:31:43 |
Michał Małoszewski |
openssh (Ubuntu Jammy): assignee |
|
Michał Małoszewski (michal-maloszewski99) |
|
| 2023-08-23 15:31:46 |
Michał Małoszewski |
openssh (Ubuntu Lunar): assignee |
|
Michał Małoszewski (michal-maloszewski99) |
|
| 2023-08-23 15:31:48 |
Michał Małoszewski |
openssh (Ubuntu Mantic): assignee |
|
Michał Małoszewski (michal-maloszewski99) |
|
| 2023-08-23 15:46:28 |
Michał Małoszewski |
openssh (Ubuntu Jammy): status |
New |
In Progress |
|
| 2023-08-23 15:46:32 |
Michał Małoszewski |
openssh (Ubuntu Lunar): status |
New |
In Progress |
|
| 2023-08-23 15:46:35 |
Michał Małoszewski |
openssh (Ubuntu Mantic): status |
Triaged |
In Progress |
|
| 2023-08-25 14:48:08 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~michal-maloszewski99/ubuntu/+source/openssh/+git/openssh/+merge/449957 |
|
| 2023-08-28 10:52:38 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~michal-maloszewski99/ubuntu/+source/openssh/+git/openssh/+merge/450039 |
|
| 2023-08-29 13:28:17 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~michal-maloszewski99/ubuntu/+source/openssh/+git/openssh/+merge/450134 |
|
| 2023-08-29 15:23:35 |
Michał Małoszewski |
description |
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
TBD
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
|
| 2023-08-29 18:00:09 |
Launchpad Janitor |
openssh (Ubuntu Mantic): status |
In Progress |
Fix Released |
|
| 2023-09-01 05:29:10 |
Michał Małoszewski |
description |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
TBD
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory using ‘cd’ command and from there create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser and inside:
# ssh-keygen -t ed25519 -f key
Go to the certuser and inside:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script‘/root/reproducer/authorized_principals’ with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit from the file and set the permission bits:
# chmod 755 authorized_principals
Stay in the same directory and create a user called otheruser:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Go back to the reproducer/ directory and create a new script called authorized_keys:
# nano authorized_keys
Add inside:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Exit from the file and set permission bits:
# chmod 755 authorized_keys
Go to the etc/ssh/sshd_config
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
|
| 2023-09-01 13:35:17 |
Michał Małoszewski |
description |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory using ‘cd’ command and from there create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser and inside:
# ssh-keygen -t ed25519 -f key
Go to the certuser and inside:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script‘/root/reproducer/authorized_principals’ with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit from the file and set the permission bits:
# chmod 755 authorized_principals
Stay in the same directory and create a user called otheruser:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Go back to the reproducer/ directory and create a new script called authorized_keys:
# nano authorized_keys
Add inside:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Exit from the file and set permission bits:
# chmod 755 authorized_keys
Go to the etc/ssh/sshd_config
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script‘/root/reproducer/authorized_principals’ with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script‘/root/reproducer/authorized_keys’ with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the etc/ssh/sshd_config
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
|
| 2023-09-01 13:42:00 |
Michał Małoszewski |
description |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script‘/root/reproducer/authorized_principals’ with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script‘/root/reproducer/authorized_keys’ with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the etc/ssh/sshd_config
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser/
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer/ directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the etc/ssh/sshd_config
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
|
| 2023-09-01 13:43:57 |
Michał Małoszewski |
description |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser/
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer/ directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the etc/ssh/sshd_config
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser/
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer/ directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the /etc/ssh/sshd_config
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
|
| 2023-09-01 13:45:03 |
Michał Małoszewski |
description |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser/
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer/ directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the /etc/ssh/sshd_config
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser/
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer/ directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the /etc/ssh/sshd_config
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u
AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
|
| 2023-09-01 13:52:08 |
Michał Małoszewski |
description |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser/
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer/ directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the /etc/ssh/sshd_config
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u
AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser/
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer/ directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the /etc/ssh/sshd_config file.
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u
AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
# systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
|
| 2023-09-01 13:52:59 |
Michał Małoszewski |
description |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser/
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer/ directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the /etc/ssh/sshd_config file.
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u
AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
# systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser/
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer/ directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the /etc/ssh/sshd_config file.
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u
AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
# systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
|
| 2023-09-01 14:01:13 |
Michał Małoszewski |
description |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser/
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer/ directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the /etc/ssh/sshd_config file.
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u
AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
# systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser/
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer/ directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the /etc/ssh/sshd_config file.
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u
AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
# systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
|
| 2023-09-04 09:42:47 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Christian Ehrhardt |
| 2023-09-06 17:21:01 |
Andreas Hasenack |
description |
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser/
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer/ directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the /etc/ssh/sshd_config file.
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u
AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
# systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
[Impact]
User of openssh reported an issue that affects Lunar and Jammy.
If AuthorizedKeysCommand is set, an AuthorizedPrincipalsCommand configuration in sshd_config that comes after it is ignored. In this scenario, where AuthorizedPrincipalsCommand is needed and set, users relying on ssh certificates for authentication will be denied access.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser/
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer/ directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the /etc/ssh/sshd_config file.
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u
AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
# systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to memory handling and fetching data.
---------------------------------original report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. |
|
| 2023-09-06 17:30:16 |
Andreas Hasenack |
openssh (Ubuntu Lunar): status |
In Progress |
Fix Committed |
|
| 2023-09-06 17:30:17 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2023-09-06 17:30:20 |
Andreas Hasenack |
bug |
|
|
added subscriber SRU Verification |
| 2023-09-06 17:30:25 |
Andreas Hasenack |
tags |
bitesize patch server-todo |
bitesize patch server-todo verification-needed verification-needed-lunar |
|
| 2023-09-06 17:31:08 |
Andreas Hasenack |
openssh (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2023-09-06 17:31:15 |
Andreas Hasenack |
tags |
bitesize patch server-todo verification-needed verification-needed-lunar |
bitesize patch server-todo verification-needed verification-needed-jammy verification-needed-lunar |
|
| 2023-09-11 16:28:11 |
Lena Voytek |
tags |
bitesize patch server-todo verification-needed verification-needed-jammy verification-needed-lunar |
bitesize patch server-todo verification-done verification-done-jammy verification-done-lunar |
|
| 2023-09-14 14:40:26 |
Launchpad Janitor |
openssh (Ubuntu Lunar): status |
Fix Committed |
Fix Released |
|
| 2023-09-14 14:40:32 |
Andreas Hasenack |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2023-09-14 14:40:49 |
Launchpad Janitor |
openssh (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2023-09-15 14:29:29 |
Michał Małoszewski |
tags |
bitesize patch server-todo verification-done verification-done-jammy verification-done-lunar |
bitesize patch verification-done verification-done-jammy verification-done-lunar |
|
