Bug#1008675: marked as done (pam-ssh-agent-auth: Replace MD5 key fingerprints with SHA256 fingerprints as printed by ssh-keygen -l)

To: Petter Reinholdtsen <pere@debian.org>
Subject: Bug#1008675: marked as done (pam-ssh-agent-auth: Replace MD5 key fingerprints with SHA256 fingerprints as printed by ssh-keygen -l)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 16 Apr 2024 18:57:04 +0000
Message-id: <[🔎] handler.1008675.D1008675.1713293537824373.ackdone@bugs.debian.org>
Reply-to: 1008675@bugs.debian.org
References: <E1rwnug-00AWqh-Mh@fasolo.debian.org> <164864474248.61444.3151595574934060727.reportbug@shodan>

Your message dated Tue, 16 Apr 2024 18:52:14 +0000
with message-id <E1rwnug-00AWqh-Mh@fasolo.debian.org>
and subject line Bug#1008675: fixed in pam-ssh-agent-auth 0.10.3-8
has caused the Debian Bug report #1008675,
regarding pam-ssh-agent-auth: Replace MD5 key fingerprints with SHA256 fingerprints as printed by ssh-keygen -l
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1008675: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008675
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pam-ssh-agent-auth: Replace MD5 key fingerprints with SHA256 fingerprints as printed by ssh-keygen -l
From: Tobias Heider <tobias.heider@canonical.com>
Date: Wed, 30 Mar 2022 14:52:22 +0200
Message-id: <164864474248.61444.3151595574934060727.reportbug@shodan>

Package: pam-ssh-agent-auth
Severity: minor
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu jammy ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:

  * debian/patches/fingerprint_sha256.patch: Use SHA256 with base64
    encoding for key fingerprints.  MD5 fingerprints are deprecated,
    OpenSSH has switched to SHA256 since OpenSSH 6.8.
    This will make the fingerprints compatible with ssh-keygen -l and allow
    the package to work in FIPS mode. (LP: #1964486)


Thanks for considering the patch.


-- System Information:
Debian Release: bookworm/sid
  APT prefers jammy
  APT policy: (1001, 'jammy')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-23-generic (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch
--- pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch	1970-01-01 01:00:00.000000000 +0100
+++ pam-ssh-agent-auth-0.10.3/debian/patches/fingerprint_sha256.patch	2022-03-17 15:31:12.000000000 +0100
@@ -0,0 +1,116 @@
+Description: Switch key fingerprint hash algorithm from MD5 to SHA256.
+ Use the newer base64 encoding format introduced in OpenSSH 6.8 to produce
+ fingerprints compatible with ssh-keygen -l.
+Forwarded: yes
+Bug: https://github.com/jbeverly/pam_ssh_agent_auth/pull/37
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486
+Author: Tobias Heider <tobias.heider@canonical.com>
+
+Index: pam-ssh-agent-auth-0.10.3/key.c
+===================================================================
+--- pam-ssh-agent-auth-0.10.3.orig/key.c
++++ pam-ssh-agent-auth-0.10.3/key.c
+@@ -281,11 +281,8 @@ pamsshagentauth_key_fingerprint_raw(cons
+ 	*dgst_raw_length = 0;
+ 
+ 	switch (dgst_type) {
+-	case SSH_FP_MD5:
+-		md = EVP_md5();
+-		break;
+-	case SSH_FP_SHA1:
+-		md = EVP_sha1();
++	case SSH_FP_SHA256:
++		md = EVP_sha256();
+ 		break;
+ 	default:
+ 		pamsshagentauth_fatal("key_fingerprint_raw: bad digest type %d",
+@@ -338,6 +335,31 @@ pamsshagentauth_key_fingerprint_raw(cons
+ }
+ 
+ static char *
++key_fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
++{
++	char *ret;
++	size_t plen = strlen(alg) + 1;
++	size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
++	int r;
++
++	if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
++		return NULL;
++	pamsshagentauth_strlcpy(ret, alg, rlen);
++	pamsshagentauth_strlcat(ret, ":", rlen);
++	if (dgst_raw_len == 0)
++		return ret;
++	if ((r = pamsshagentauth___b64_ntop(dgst_raw, dgst_raw_len,
++	    ret + plen, rlen - plen)) == -1) {
++		explicit_bzero(ret, rlen);
++		free(ret);
++		return NULL;
++	}
++	/* Trim padding characters from end */
++	ret[strcspn(ret, "=")] = '\0';
++	return ret;
++}
++
++static char *
+ key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
+ {
+ 	char *retval;
+@@ -405,6 +427,7 @@ key_fingerprint_bubblebabble(u_char *dgs
+ char *
+ pamsshagentauth_key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
+ {
++	const char *dgst_name;
+ 	char *retval = NULL;
+ 	u_char *dgst_raw;
+ 	u_int dgst_raw_len;
+@@ -416,6 +439,16 @@ pamsshagentauth_key_fingerprint(const Ke
+ 	case SSH_FP_HEX:
+ 		retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
+ 		break;
++	case SSH_FP_BASE64:
++		switch (dgst_type) {
++		case SSH_FP_SHA256:
++			dgst_name = "SHA256";
++			break;
++		default:
++			goto done;
++		}
++		retval = key_fingerprint_b64(dgst_name, dgst_raw, dgst_raw_len);
++		break;
+ 	case SSH_FP_BUBBLEBABBLE:
+ 		retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
+ 		break;
+@@ -424,6 +457,7 @@ pamsshagentauth_key_fingerprint(const Ke
+ 		    dgst_rep);
+ 		break;
+ 	}
++ done:
+ 	memset(dgst_raw, 0, dgst_raw_len);
+ 	pamsshagentauth_xfree(dgst_raw);
+ 	return retval;
+Index: pam-ssh-agent-auth-0.10.3/pam_user_key_allowed2.c
+===================================================================
+--- pam-ssh-agent-auth-0.10.3.orig/pam_user_key_allowed2.c
++++ pam-ssh-agent-auth-0.10.3/pam_user_key_allowed2.c
+@@ -102,7 +102,7 @@ pamsshagentauth_check_authkeys_file(FILE
+             found_key = 1;
+             pamsshagentauth_logit("matching key found: file/command %s, line %lu", file,
+                                   linenum);
+-            fp = pamsshagentauth_key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
++            fp = pamsshagentauth_key_fingerprint(found, SSH_FP_SHA256, SSH_FP_BASE64);
+             pamsshagentauth_logit("Found matching %s key: %s",
+                                   pamsshagentauth_key_type(found), fp);
+             pamsshagentauth_xfree(fp);
+Index: pam-ssh-agent-auth-0.10.3/key.h
+===================================================================
+--- pam-ssh-agent-auth-0.10.3.orig/key.h
++++ pam-ssh-agent-auth-0.10.3/key.h
+@@ -50,6 +50,7 @@ enum fp_type {
+ };
+ enum fp_rep {
+ 	SSH_FP_HEX,
++	SSH_FP_BASE64,
+ 	SSH_FP_BUBBLEBABBLE
+ };
+ 
diff -Nru pam-ssh-agent-auth-0.10.3/debian/patches/series pam-ssh-agent-auth-0.10.3/debian/patches/series
--- pam-ssh-agent-auth-0.10.3/debian/patches/series	2020-04-10 18:48:24.000000000 +0200
+++ pam-ssh-agent-auth-0.10.3/debian/patches/series	2022-03-17 15:31:12.000000000 +0100
@@ -2,3 +2,4 @@
 openssl-1.1.1-1.patch
 openssl-1.1.1-2.patch
 lp1869512.patch
+fingerprint_sha256.patch

--- End Message ---

--- Begin Message ---

To: 1008675-close@bugs.debian.org
Subject: Bug#1008675: fixed in pam-ssh-agent-auth 0.10.3-8
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Tue, 16 Apr 2024 18:52:14 +0000
Message-id: <E1rwnug-00AWqh-Mh@fasolo.debian.org>
Reply-to: Petter Reinholdtsen <pere@debian.org>

Source: pam-ssh-agent-auth
Source-Version: 0.10.3-8
Done: Petter Reinholdtsen <pere@debian.org>

We believe that the bug you reported is fixed in the latest version of
pam-ssh-agent-auth, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1008675@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated pam-ssh-agent-auth package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 16 Apr 2024 20:25:51 +0200
Source: pam-ssh-agent-auth
Architecture: source
Version: 0.10.3-8
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Closes: 1008675
Changes:
 pam-ssh-agent-auth (0.10.3-8) unstable; urgency=medium
 .
   * QA upload.
 .
   * Updated vcs in d/control to Salsa.
   * Added d/gbp.conf to enforce the use of pristine-tar.
   * Updated Standards-Version from 4.6.2 to 4.7.0.
   * Removed no longer relevant branch information from d/gbp.conf.
   * Enabled hardeing in d/rules.
   * Added 1000-clean-ed25519.patch to make source rebuildable.
   * Switched key fingerprint hash algorithm from MD5 to SHA256. (Closes: #1008675)
Checksums-Sha1:
 18374b833be88df77bf0fc22582197bc71023087 1983 pam-ssh-agent-auth_0.10.3-8.dsc
 a0380fff58cf50049f60e9f446ccebbcc4e6782a 17036 pam-ssh-agent-auth_0.10.3-8.debian.tar.xz
 f10a47e13c372bda06975620269bd8a1ca06b37a 6474 pam-ssh-agent-auth_0.10.3-8_source.buildinfo
Checksums-Sha256:
 73e919d8442aa92fa8f8874725922706466110e21343225537e221c22567ecb7 1983 pam-ssh-agent-auth_0.10.3-8.dsc
 7348bd3d040ffa7726e55b793c4325c3c6518228275eee2621cafcf053bdd351 17036 pam-ssh-agent-auth_0.10.3-8.debian.tar.xz
 72e4024ed7bbbf4353222ebbb2a5e559fdd82cf9fa65cb87dabfb6b26f856023 6474 pam-ssh-agent-auth_0.10.3-8_source.buildinfo
Files:
 20d2c368dc27ce42cd37edd7f557d39d 1983 libs optional pam-ssh-agent-auth_0.10.3-8.dsc
 58fd6ce1c87ce7879e7c0a9c3c3aaf48 17036 libs optional pam-ssh-agent-auth_0.10.3-8.debian.tar.xz
 1f685840f6a2aa8a7509883f9ef755b4 6474 libs optional pam-ssh-agent-auth_0.10.3-8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEERqLf4owIeylOb9kkgSgKoIe6+w4FAmYewvIACgkQgSgKoIe6
+w4vIA/+LLrxS1OQaU41NyJ3WlxNQGNNhzqHmu0UjfhoLIcRzROwp/KB3fOW8qJP
wiLQ/2jwmzCUitQx2L+TCKuK/K1pLGrhWEqWKpshuQ6tPWloL1SHQMg/OH2UYBTm
Wmnhz23DL9pPoeUBmfS+TJD+5vB//ENKGLtDYggViszdCHsi8bWliCDEcQXvBYHF
7+k9tvju/uKJfi0rEJcUVkDVkHHyu+f3gb0DZ0DwgTrHq4XopHdqIub4WvqqlwUX
eEENTTfVYsa03iYVhoyvXMJcxGCnmwaHLXC7PRBhMNMFaDMFInctlQfDAtZpZIVO
OoeDLK/UjBERwbfI6hZtH5279mGlQLVuqpTeEHkPse7yx+7tyUBU/Ke77SmZrw53
1hJaMu9H3V8mg+4EYKXCrBKACgCEcSgkENaUBzsNxoDdFzt9YLes4/ogOk8xVkbA
y8RiNPKYNDnFwoKNSmZvdWsJA7FhYBJGgUZQnbSmbst2NUb/oJtHvcTTdlXyg8kR
Hz4whzBL9bs6OGxpBDp/TOi4+o7v+3LgkVCiZw7HHsuQ52Fkmc0DdSeksQc76n1f
r2SHW7qs7Hmk5BjMdfe+BzIL/1yS7OTTRCZ8UUkGgcC1TEyLIuMu7cetxBLJmRsS
IvgrWizqa6CNn25sZScu/mNfRR2j75aUMyS/yaKzrss4tMVxDOw=
=uYad
-----END PGP SIGNATURE-----

Attachment: pgp3X4CCzFwVe.pgp
Description: PGP signature

--- End Message ---

Reply to:

Prev by Date: Processing of pam-ssh-agent-auth_0.10.3-8_source.changes
Next by Date: Processing of mailnag_2.2.0-2_source.changes
Previous by thread: Processing of pam-ssh-agent-auth_0.10.3-8_source.changes
Next by thread: Processing of mailnag_2.2.0-2_source.changes
Index(es):
- Date
- Thread