[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#50612: marked as done (ssh: Might want to allow different host keys for different ports on same host)

Your message dated Wed, 13 Jun 2007 00:02:51 +0000
with message-id <E1HyGK3-0001D3-K2@ries.debian.org>
and subject line Bug#50612: fixed in openssh 1:4.6p1-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: ssh
Version: 1:1.2pre9-1
Severity: wishlist

`ssh' with its host key checking is incompatible with the use of
`redir' to map different ports on a gateway/firewall system to
different systems behind the firewall.

For instance, I redirect ports as follows:

               | fw.somesite.com |
            -> | port 2224       | -> (port 22) internalhost1.somesite.com
Internet    -> | port 2223       | -> (port 22) internalhost2.somesite.com
            -> | port 2222       | -> (port 22) internalhost3.somesite.com

In this case, the following three commands end up on different hosts:

      ssh -p 2224 fw.somesite.com
      ssh -p 2223 fw.somesite.com
      ssh -p 2222 fw.somesite.com

Thus, there are different host keys, which leads `ssh' to believe that
the host key has been altered between sessions.

Would it be possible to save both host/IP as well as portnumber as
keys in the 'known_hosts' file?


-- System Information
Debian Release: potato
Kernel Version: Linux tor.slett.net 2.2.13 #1 Sun Nov 7 23:07:24 PST 1999 i586 unknown

Versions of the packages ssh depends on:
ii  libc6           2.1.2-10       GNU C Library: Shared libraries and timezone
ii  libpam0g        0.71-1         Pluggable Authentication Modules library
ii  libssl09        0.9.4-3        SSL shared libraries
ii  zlib1g          1.1.3-5        compression library - runtime
	^^^ (Provides virtual package libz1)

--- Begin /etc/ssh/ssh_config (modified conffile)
    StrictHostKeyChecking no
    Cipher blowfish

--- End /etc/ssh/ssh_config

--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:4.6p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

  to pool/main/o/openssh/openssh-client-udeb_4.6p1-1_powerpc.udeb
  to pool/main/o/openssh/openssh-client_4.6p1-1_powerpc.deb
  to pool/main/o/openssh/openssh-server-udeb_4.6p1-1_powerpc.udeb
  to pool/main/o/openssh/openssh-server_4.6p1-1_powerpc.deb
  to pool/main/o/openssh/openssh_4.6p1-1.diff.gz
  to pool/main/o/openssh/openssh_4.6p1-1.dsc
  to pool/main/o/openssh/openssh_4.6p1.orig.tar.gz
  to pool/main/o/openssh/ssh-askpass-gnome_4.6p1-1_powerpc.deb
  to pool/main/o/openssh/ssh-krb5_4.6p1-1_all.deb
  to pool/main/o/openssh/ssh_4.6p1-1_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 50612@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Wed, 13 Jun 2007 00:28:26 +0100
Source: openssh
Binary: ssh-askpass-gnome ssh-krb5 openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.6p1-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
 openssh-client - secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell server, an rshd replacement
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (transitional package)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 50612 88337 99675 103677 122188 257524 307890 319639 333447 369964 389038 395507 397961 408027 410599 420035
 openssh (1:4.6p1-1) unstable; urgency=low
   * New upstream release (closes: #395507, #397961, #420035). Important
     changes not previously backported to 4.3p2:
     - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
       + On portable OpenSSH, fix a GSSAPI authentication abort that could be
         used to determine the validity of usernames on some platforms.
       + Implemented conditional configuration in sshd_config(5) using the
         "Match" directive. This allows some configuration options to be
         selectively overridden if specific criteria (based on user, group,
         hostname and/or address) are met. So far a useful subset of
         post-authentication options are supported and more are expected to
         be added in future releases.
       + Add support for Diffie-Hellman group exchange key agreement with a
         final hash of SHA256.
       + Added a "ForceCommand" directive to sshd_config(5). Similar to the
         command="..." option accepted in ~/.ssh/authorized_keys, this forces
         the execution of the specified command regardless of what the user
         requested. This is very useful in conjunction with the new "Match"
       + Add a "PermitOpen" directive to sshd_config(5). This mirrors the
         permitopen="..." authorized_keys option, allowing fine-grained
         control over the port-forwardings that a user is allowed to
       + Add optional logging of transactions to sftp-server(8).
       + ssh(1) will now record port numbers for hosts stored in
         ~/.ssh/known_hosts when a non-standard port has been requested
         (closes: #50612).
       + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
         non-zero exit code) when requested port forwardings could not be
       + Extend sshd_config(5) "SubSystem" declarations to allow the
         specification of command-line arguments.
       + Replacement of all integer overflow susceptible invocations of
         malloc(3) and realloc(3) with overflow-checking equivalents.
       + Many manpage fixes and improvements.
       + Add optional support for OpenSSL hardware accelerators (engines),
         enabled using the --with-ssl-engine configure option.
       + Tokens in configuration files may be double-quoted in order to
         contain spaces (closes: #319639).
       + Move a debug() call out of a SIGCHLD handler, fixing a hang when the
         session exits very quickly (closes: #307890).
       + Fix some incorrect buffer allocation calculations (closes: #410599).
       + ssh-add doesn't ask for a passphrase if key file permissions are too
         liberal (closes: #103677).
       + Likewise, ssh doesn't ask either (closes: #99675).
     - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
       + sshd now allows the enabling and disabling of authentication methods
         on a per user, group, host and network basis via the Match directive
         in sshd_config.
       + Fixed an inconsistent check for a terminal when displaying scp
         progress meter (closes: #257524).
       + Fix "hang on exit" when background processes are running at the time
         of exit on a ttyful/login session (closes: #88337).
   * Update to current GSSAPI patch from
     install ChangeLog.gssapi.
   * Build the .deb --with-ssl-engine (closes: #408027, LP: #119295).
   * Use LSB functions in init scripts, and add an LSB-style header (partly
     from Ubuntu and partly thanks to Christian Perrier; closes: #389038).
   * Move init script start links to S16, move rc1 stop link to K84, and
     remove rc0 and rc6 stop links altogether (the last part from Ubuntu;
     closes: #122188).
   * Emit a slightly more informative message from the init script if
     /dev/null has somehow become not a character device (closes: #369964).
   * Belatedly build-depend on zlib1g-dev (>= 1:1.2.3-1) (closes: #333447).
   * Merge from Ubuntu:
     - Build position-independent executables (only for debs, not for udebs)
       to take advantage of address space layout randomisation.
     - If building on Ubuntu, add /sbin, /usr/sbin, and /usr/local/sbin to
       the default path.
   * Use ${binary:Version} rather than ${Source-Version} in openssh-server ->
     openssh-client dependency.
 274b1d5892e3805fc6cf02b4bcbae0d4 1062 net standard openssh_4.6p1-1.dsc
 cee58cd226138191561fa2d484e18f49 946439 net standard openssh_4.6p1.orig.tar.gz
 e31a11367a77ac6a5293286e463324bf 178464 net standard openssh_4.6p1-1.diff.gz
 6a07b42810cb43825f5bccfef27d050b 1060 net extra ssh_4.6p1-1_all.deb
 7611c62669803ede6d8873172807daa6 78884 net extra ssh-krb5_4.6p1-1_all.deb
 b410989a5fec7a9bb28040ae06805a2b 687032 net standard openssh-client_4.6p1-1_powerpc.deb
 eb67e9f21b381580a36a96e492e88479 257292 net optional openssh-server_4.6p1-1_powerpc.deb
 8e23b1d093801f6caef9472eb8a84eab 88536 gnome optional ssh-askpass-gnome_4.6p1-1_powerpc.deb
 efc9ed4c7588942ed0ab42c5626ba523 173176 debian-installer optional openssh-client-udeb_4.6p1-1_powerpc.udeb
 d5eb39406e06da0896e23a60c9d48089 179456 debian-installer optional openssh-server-udeb_4.6p1-1_powerpc.udeb
Package-Type: udeb

Version: GnuPG v1.4.5 (GNU/Linux)


--- End Message ---

Reply to: