Bug#220726: marked as done (obscure error messages if newlines in ~/.ssh/authorized_keys)
Your message dated Mon, 06 Jun 2005 18:17:18 -0400
with message-id <E1DfPuI-000640-00@newraff.debian.org>
and subject line Bug#220726: fixed in openssh 1:4.1p1-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 14 Nov 2003 10:59:52 +0000
>From mh+debian-bugs@zugschlus.de Fri Nov 14 04:59:51 2003
Return-path: <mh+debian-bugs@zugschlus.de>
Received: from mail.ilk.de [194.121.104.8]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1AKbg6-0008Iu-00; Fri, 14 Nov 2003 04:59:50 -0600
Received: from fw1 (fw1.ilk.de [212.86.193.6])
by mail.ilk.de with SMTP id hAEAxneF001780;
Fri, 14 Nov 2003 11:59:49 +0100
Message-Id: <200311141100.hAEB0Duk024425@bonzo.intern.ilk.de>
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Marc Haber <mh+debian-bugs@zugschlus.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: obscure error messages if newlines in ~/.ssh/authorized_keys
X-Mailer: reportbug 2.36
Date: Fri, 14 Nov 2003 11:59:36 +0100
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-5.2 required=4.0
tests=BAYES_20,HAS_PACKAGE,MSG_ID_ADDED_BY_MTA_3
version=2.53-bugs.debian.org_2003_11_13
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_11_13 (1.174.2.15-2003-03-30-exp)
Package: ssh
Version: 1:3.6.1p2-9
Severity: normal
When one goofs with his authorized_keys file (adding linefeeds into
the public key, for example), the ssh server reacts with "Nov 14
10:04:42 kes sshd[11927]: fatal: buffer_get: trying to get more bytes
129 than in buffer 39" in the syslog. This error message is likely to
cause a heart attack with whoever reads logcheck output because it
suggests a buffer overflow attack happening.
Please consider adding code to detect this particular error and
to emit a less scary error message like "OSI layer 8 problem:
Formatting error in ~$USER/.ssh/authorized_keys".
Greetings
Marc
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux kes 2.4.22-kes #1 Tue Oct 7 07:49:10 UTC 2003 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages ssh depends on:
ii adduser 3.51 Add and remove users and groups
ii debconf 1.3.20 Debian configuration management sy
ii libc6 2.3.2.ds1-10 GNU C Library: Shared libraries an
ii libpam-modules 0.76-14 Pluggable Authentication Modules f
ii libpam0g 0.76-14 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7c-5 SSL shared libraries
ii libwrap0 7.6-ipv6.1-3 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.1.4-16 compression library - runtime
-- debconf information excluded
---------------------------------------
Received: (at 220726-close) by bugs.debian.org; 6 Jun 2005 22:22:19 +0000
>From katie@ftp-master.debian.org Mon Jun 06 15:22:19 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DfPz8-0006p5-00; Mon, 06 Jun 2005 15:22:18 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DfPuI-000640-00; Mon, 06 Jun 2005 18:17:18 -0400
From: Colin Watson <cjwatson@debian.org>
To: 220726-close@bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#220726: fixed in openssh 1:4.1p1-3
Message-Id: <E1DfPuI-000640-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Mon, 06 Jun 2005 18:17:18 -0400
Delivered-To: 220726-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 27
Source: openssh
Source-Version: 1:4.1p1-3
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_4.1p1-3_powerpc.udeb
to pool/main/o/openssh/openssh-client-udeb_4.1p1-3_powerpc.udeb
openssh-client_4.1p1-3_powerpc.deb
to pool/main/o/openssh/openssh-client_4.1p1-3_powerpc.deb
openssh-server-udeb_4.1p1-3_powerpc.udeb
to pool/main/o/openssh/openssh-server-udeb_4.1p1-3_powerpc.udeb
openssh-server_4.1p1-3_powerpc.deb
to pool/main/o/openssh/openssh-server_4.1p1-3_powerpc.deb
openssh_4.1p1-3.diff.gz
to pool/main/o/openssh/openssh_4.1p1-3.diff.gz
openssh_4.1p1-3.dsc
to pool/main/o/openssh/openssh_4.1p1-3.dsc
ssh-askpass-gnome_4.1p1-3_powerpc.deb
to pool/main/o/openssh/ssh-askpass-gnome_4.1p1-3_powerpc.deb
ssh_4.1p1-3_all.deb
to pool/main/o/openssh/ssh_4.1p1-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 220726@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 6 Jun 2005 22:28:33 +0100
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.1p1-3
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
openssh-client-udeb - Secure shell client for the Debian installer (udeb)
openssh-server - Secure shell server, an rshd replacement
openssh-server-udeb - Secure shell server for the Debian installer (udeb)
ssh - Secure shell client and server (transitional package)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 39741 87253 87900 141979 147212 147360 151321 162996 163933 192206 192234 220726 228828 233012 238699 242119 242462 247521 248747 250369 257130 264024 265339 265627 273831 275731 275895 276703 276754 277438 278394 278715 280190 281595 287013 289573 295757 296487 298536 298744 301852 303452 303787 307069 308868
Changes:
openssh (1:4.1p1-3) unstable; urgency=low
.
* Upload to unstable.
.
openssh (1:4.1p1-2) experimental; urgency=low
.
* Drop debconf support for allowing SSH protocol 1, which is discouraged
and has not been the default since openssh 1:3.0.1p1-1. Users who need
this should edit sshd_config instead (closes: #147212).
* Since ssh-keysign isn't used by default (you need to set
EnableSSHKeysign to "yes" in /etc/ssh/ssh_config), having a debconf
question to ask whether it should be setuid is overkill, and the
question text had got out of date anyway. Remove this question, ship
ssh-keysign setuid in openssh-client.deb, and set a statoverride if the
debconf question was previously set to false.
* Add lintian overrides for the above (setuid-binary,
no-debconf-templates).
* Fix picky lintian errors about slogin symlinks.
* Fix DEB_HOST_ARCH_OS/DEB_HOST_GNU_SYSTEM compatibility handling.
* Apply Linux 2.2 workaround (see #239999) only on Linux.
.
openssh (1:4.1p1-1) experimental; urgency=low
.
* New upstream release.
- Normalise socket addresses returned by get_remote_hostname(), fixing
4-in-6 mapping issues with AllowUsers et al (closes: #192234).
* Take upstream's hint and disable the unsupported USE_POSIX_THREADS
(closes: #295757, #308868, and possibly others; may open other bugs).
Use PAM password authentication to avoid #278394. In future I may
provide two sets of binaries built with and without this option, since
it seems I can't win.
* Disable ChallengeResponseAuthentication in new installations, returning
to PasswordAuthentication by default, since it now supports PAM and
apparently works better with a non-threaded sshd (closes: #247521).
* openssh-server Suggests: rssh (closes: #233012).
* Change libexecdir to /usr/lib/openssh, and fix up various alternatives
and configuration files to match (closes: #87900, #151321).
* Fix up very old sshd_config files that refer to /usr/libexec/sftp-server
(closes: #141979).
.
openssh (1:4.0p1-1) experimental; urgency=low
.
* New upstream release.
- Port-forwarding specifications now take optional bind addresses, and
the server allows client-specified bind addresses for remote port
forwardings when configured with "GatewayPorts clientspecified"
(closes: #87253, #192206).
- ssh and ssh-keyscan now support hashing of known_hosts files for
improved privacy. ssh-keygen has new options for managing known_hosts
files, which understand hashing.
- sftp supports command history and editing support using libedit
(closes: #287013).
- Have scp and sftp wait for the spawned ssh to exit before they exit
themselves, allowing ssh to restore terminal modes (closes: #257130).
- Improved the handling of bad data in authorized_keys files,
eliminating fatal errors on corrupt or very large keys; e.g. linefeeds
in keys only produce errors in auth.log now (closes: #220726).
- Add "command mode" to ssh connection multiplexing (closes: #303452).
- Mention $HOME/.hushlogin in sshd(8) FILES section (closes: #163933).
* Make gnome-ssh-askpass stay above other windows (thanks, Liyang HU;
closes: #296487).
* Remove obsolete and unnecessary ssh/forward_warning debconf note.
* Hurd build fixes (although sshd still doesn't work):
- Restore X forwarding fix from #102991, lost somewhere along the way.
- Link with -lcrypt.
- Link with -lpthread rather than -pthread.
- Don't build ssh-askpass-gnome on the Hurd, until GNOME is available to
satisfy build-dependencies.
* Drop workaround for #242462 on amd64; it's been fixed properly upstream.
* Enable HashKnownHosts by default. This only affects new entries; use
'ssh-keygen -H' to convert an entire known_hosts file to hashed format.
* Note in ssh_config(5) that the SetupTimeOut option is Debian-specific
(closes: #307069).
* debconf template translations:
- Update Czech (thanks, Miroslav Kure; closes: #298744).
- Update Finnish (thanks, Matti Pöllä; closes: #303787).
- Synchronise Spanish with sarge branch (thanks, Javier
Fernández-Sanguino Peña; closes: #298536).
- Add Ukrainian (thanks, Eugeniy Meshcheryakov; closes: #301852).
.
openssh (1:3.9p1-3) experimental; urgency=low
.
* Explain how to run sshd from inittab in README.Debian (closes: #147360).
* Add debian/watch file.
.
openssh (1:3.9p1-2) experimental; urgency=low
.
* Remove pam_nologin from /etc/pam.d/ssh, as sshd's built-in support
appears to be sufficient and more useful (closes: #162996).
* Depend on debconf | debconf-2.0.
* Drop LoginGraceTime back to the upstream default of two minutes on new
installs (closes: #289573).
* debconf template translations from Ubuntu bug #1232:
- Update Greek (thanks, Logiotatidis George).
- Update Spanish (thanks, Santiago Erquicia).
.
openssh (1:3.9p1-1) experimental; urgency=low
.
* New upstream release.
- PAM password authentication implemented again (closes: #238699,
#242119).
- Implemented the ability to pass selected environment variables between
the client and the server.
- Fix ssh-keyscan breakage when remote server doesn't speak SSH protocol
(closes: #228828).
- Fix res_query detection (closes: #242462).
- 'ssh -c' documentation improved (closes: #265627).
* Pass LANG and LC_* environment variables from the client by default, and
accept them to the server by default in new installs, although not on
upgrade (closes: #264024).
* Build ssh in binary-indep, not binary-arch (thanks, LaMont Jones).
* Expand on openssh-client package description (closes: #273831).
.
openssh (1:3.8.1p1-14) experimental; urgency=low
.
* We use DH_COMPAT=2, so build-depend on debhelper (>= 2).
* Fix timing information leak allowing discovery of invalid usernames in
PAM keyboard-interactive authentication (backported from a patch by
Darren Tucker; closes: #281595).
* Make sure that there's a delay in PAM keyboard-interactive
authentication when PermitRootLogin is not set to yes and the correct
root password is entered (closes: #248747).
.
openssh (1:3.8.1p1-13) experimental; urgency=low
.
* Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
* debconf template translations:
- Update Dutch (thanks, cobaco; closes: #278715).
* Correct README.Debian's ForwardX11Trusted description (closes: #280190).
.
openssh (1:3.8.1p1-12) experimental; urgency=low
.
* Preserve /etc/ssh/sshd_config ownership/permissions (closes: #276754).
* Shorten the version string from the form "OpenSSH_3.8.1p1 Debian
1:3.8.1p1-8.sarge.1" to "OpenSSH_3.8.1p1 Debian-8.sarge.1", as some SSH
implementations apparently have problems with the long version string.
This is of course a bug in those implementations, but since the extent
of the problem is unknown it's best to play safe (closes: #275731).
* debconf template translations:
- Add Finnish (thanks, Matti Pöllä; closes: #265339).
- Update Danish (thanks, Morten Brix Pedersen; closes: #275895).
- Update French (thanks, Denis Barbier; closes: #276703).
- Update Japanese (thanks, Kenshi Muto; closes: #277438).
.
openssh (1:3.8.1p1-11) experimental; urgency=high
.
* Move sshd_config(5) to openssh-server, where it belongs.
* If PasswordAuthentication is disabled, then offer to disable
ChallengeResponseAuthentication too. The current PAM code will attempt
password-style authentication if ChallengeResponseAuthentication is
enabled (closes: #250369).
* This will ask a question of anyone who installed fresh with 1:3.8p1-2 or
later and then upgraded. Sorry about that ... for this reason, the
default answer is to leave ChallengeResponseAuthentication enabled.
.
openssh (1:3.8.1p1-10) experimental; urgency=low
.
* Don't install the ssh-askpass-gnome .desktop file by default; I've had
too many GNOME people tell me it's the wrong thing to be doing. I've
left it in /usr/share/doc/ssh-askpass-gnome/examples/ for now.
.
openssh (1:3.8.1p1-9) experimental; urgency=low
.
* Split the ssh binary package into openssh-client and openssh-server
(closes: #39741). openssh-server depends on openssh-client for some
common functionality; it didn't seem worth creating yet another package
for this. openssh-client is priority standard, openssh-server optional.
* New transitional ssh package, priority optional, depending on
openssh-client and openssh-server. May be removed once nothing depends
on it.
* When upgrading from ssh to openssh-{client,server}, it's very difficult
for the maintainer scripts to find out what version we're upgrading from
without dodgy dpkg hackery. I've therefore taken the opportunity to move
a couple of debconf notes into NEWS files, namely ssh/ssh2_keys_merged
and ssh/user_environment_tell.
* Add a heuristic to try to make sure the sshd_config upgrade to >= 3.7
happens even though we don't know what version we're upgrading from.
* Remove /etc/ssh/sshd_not_to_be_run on purge of openssh-server. For now
(until sarge+2) it's still honoured to avoid breaking existing
configurations, but the right approach is now to remove the
openssh-server package if you don't want to run the server. Add a NEWS
item to that effect.
Files:
84f2dff9c56e901f345d56fc61df0d0b 900 net standard openssh_4.1p1-3.dsc
7ab61ab3f06d6f82054c1abe06c07d06 138002 net standard openssh_4.1p1-3.diff.gz
02c181ac3c4d6a0548d111c59e74db82 31940 net optional ssh_4.1p1-3_all.deb
fded10b71291844267bf4582d67e1f49 570468 net standard openssh-client_4.1p1-3_powerpc.deb
b5d53eb227d444b63861dc93266b06d3 284250 net optional openssh-server_4.1p1-3_powerpc.deb
712214657225f22add427e6e8af78d8e 76508 gnome optional ssh-askpass-gnome_4.1p1-3_powerpc.deb
8a08610010a9b18697df9dcaad793d47 163160 debian-installer optional openssh-client-udeb_4.1p1-3_powerpc.udeb
c3e34795848cfa1ddf1be4365c9450cd 171832 debian-installer optional openssh-server-udeb_4.1p1-3_powerpc.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCpMU09t0zAhD6TNERAkGpAKCDpLdoo2ILdb02EPN28FV4HuSsgQCcD7K2
QlEr7wrH8P5uw4bssmCGNzU=
=mvqt
-----END PGP SIGNATURE-----
Reply to: