[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#72427: marked as done (ssh: known_hosts should include port in mapping)

Your message dated Wed, 13 Jun 2007 00:02:51 +0000
with message-id <E1HyGK3-0001D3-K2@ries.debian.org>
and subject line Bug#50612: fixed in openssh 1:4.6p1-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: ssh
Version: 1:2.2.0p1-1
Severity: wishlist

known_hosts currently keys of hostname and ip address. But a host could run
different sshd's with different keys on different ports. Or it could forward
the connection to various other hosts depending on the port -- as is common
with firewalls or NATs.

This has always been a problem with ssh but previously it was possible to work
around the problem with hostname aliases. OpenSSH seem to have started
canonicalizing hostnames before looking them up in the known_hosts file which breaks this. 

Incidentall it's not at all clear canonicalizing the hostname before looking it
up in known_hosts is actually a good idea from a security perspective. It means
now an attacker could fool ssh into comparing against the wrong key instead of
using what the user configured without.

bash-2.04$ ssh bridge -p 2003
The authenticity of host 'bridge.foo.com' can't be established.
RSA key fingerprint is b1:c8:72:84:1d:4e:dd:ff:38:87:78:77:87:8a:1c:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'bridge.foo.com,216.95.242.178' (RSA) to the list of known hosts.
Last login: Mon Sep 25 14:58:18 2000 from dns.foo.com
You have mail.
[stark@fs stark]$ logout
Connection to bridge.foo.com closed.
bash-2.04$ ssh bridge -p 2078
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
Please contact your system administrator.
Add correct host key in /home/stark/.ssh/known_hosts to get rid of this message.
RSA host key for bridge.foo.com has changed and you have requested strict checking.



-- System Information
Debian Release: woody
Kernel Version: Linux HSE-MTL-ppp62067.qc.sympatico.ca 2.2.17pre9 #3 SMP Mon Jul 10 10:09:07 EDT 2000 i686 unknown

Versions of the packages ssh depends on:
ii  libc6          2.1.3-10       GNU C Library: Shared libraries and Timezone
ii  libpam-modules 0.72-9         Pluggable Authentication Modules for PAM
ii  libpam0g       0.72-9         Pluggable Authentication Modules library
ii  libssl095a     0.9.5a-4       SSL shared libraries
ii  libwrap0       7.6-5          Wietse Venema's TCP wrappers library
ii  zlib1g         1.1.3-10       compression library - runtime

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:4.6p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.6p1-1_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.6p1-1_powerpc.udeb
openssh-client_4.6p1-1_powerpc.deb
  to pool/main/o/openssh/openssh-client_4.6p1-1_powerpc.deb
openssh-server-udeb_4.6p1-1_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.6p1-1_powerpc.udeb
openssh-server_4.6p1-1_powerpc.deb
  to pool/main/o/openssh/openssh-server_4.6p1-1_powerpc.deb
openssh_4.6p1-1.diff.gz
  to pool/main/o/openssh/openssh_4.6p1-1.diff.gz
openssh_4.6p1-1.dsc
  to pool/main/o/openssh/openssh_4.6p1-1.dsc
openssh_4.6p1.orig.tar.gz
  to pool/main/o/openssh/openssh_4.6p1.orig.tar.gz
ssh-askpass-gnome_4.6p1-1_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.6p1-1_powerpc.deb
ssh-krb5_4.6p1-1_all.deb
  to pool/main/o/openssh/ssh-krb5_4.6p1-1_all.deb
ssh_4.6p1-1_all.deb
  to pool/main/o/openssh/ssh_4.6p1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 50612@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 13 Jun 2007 00:28:26 +0100
Source: openssh
Binary: ssh-askpass-gnome ssh-krb5 openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.6p1-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell server, an rshd replacement
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (transitional package)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 50612 88337 99675 103677 122188 257524 307890 319639 333447 369964 389038 395507 397961 408027 410599 420035
Changes: 
 openssh (1:4.6p1-1) unstable; urgency=low
 .
   * New upstream release (closes: #395507, #397961, #420035). Important
     changes not previously backported to 4.3p2:
     - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
       + On portable OpenSSH, fix a GSSAPI authentication abort that could be
         used to determine the validity of usernames on some platforms.
       + Implemented conditional configuration in sshd_config(5) using the
         "Match" directive. This allows some configuration options to be
         selectively overridden if specific criteria (based on user, group,
         hostname and/or address) are met. So far a useful subset of
         post-authentication options are supported and more are expected to
         be added in future releases.
       + Add support for Diffie-Hellman group exchange key agreement with a
         final hash of SHA256.
       + Added a "ForceCommand" directive to sshd_config(5). Similar to the
         command="..." option accepted in ~/.ssh/authorized_keys, this forces
         the execution of the specified command regardless of what the user
         requested. This is very useful in conjunction with the new "Match"
         option.
       + Add a "PermitOpen" directive to sshd_config(5). This mirrors the
         permitopen="..." authorized_keys option, allowing fine-grained
         control over the port-forwardings that a user is allowed to
         establish.
       + Add optional logging of transactions to sftp-server(8).
       + ssh(1) will now record port numbers for hosts stored in
         ~/.ssh/known_hosts when a non-standard port has been requested
         (closes: #50612).
       + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
         non-zero exit code) when requested port forwardings could not be
         established.
       + Extend sshd_config(5) "SubSystem" declarations to allow the
         specification of command-line arguments.
       + Replacement of all integer overflow susceptible invocations of
         malloc(3) and realloc(3) with overflow-checking equivalents.
       + Many manpage fixes and improvements.
       + Add optional support for OpenSSL hardware accelerators (engines),
         enabled using the --with-ssl-engine configure option.
       + Tokens in configuration files may be double-quoted in order to
         contain spaces (closes: #319639).
       + Move a debug() call out of a SIGCHLD handler, fixing a hang when the
         session exits very quickly (closes: #307890).
       + Fix some incorrect buffer allocation calculations (closes: #410599).
       + ssh-add doesn't ask for a passphrase if key file permissions are too
         liberal (closes: #103677).
       + Likewise, ssh doesn't ask either (closes: #99675).
     - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
       + sshd now allows the enabling and disabling of authentication methods
         on a per user, group, host and network basis via the Match directive
         in sshd_config.
       + Fixed an inconsistent check for a terminal when displaying scp
         progress meter (closes: #257524).
       + Fix "hang on exit" when background processes are running at the time
         of exit on a ttyful/login session (closes: #88337).
   * Update to current GSSAPI patch from
     http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
     install ChangeLog.gssapi.
   * Build the .deb --with-ssl-engine (closes: #408027, LP: #119295).
   * Use LSB functions in init scripts, and add an LSB-style header (partly
     from Ubuntu and partly thanks to Christian Perrier; closes: #389038).
   * Move init script start links to S16, move rc1 stop link to K84, and
     remove rc0 and rc6 stop links altogether (the last part from Ubuntu;
     closes: #122188).
   * Emit a slightly more informative message from the init script if
     /dev/null has somehow become not a character device (closes: #369964).
   * Belatedly build-depend on zlib1g-dev (>= 1:1.2.3-1) (closes: #333447).
   * Merge from Ubuntu:
     - Build position-independent executables (only for debs, not for udebs)
       to take advantage of address space layout randomisation.
     - If building on Ubuntu, add /sbin, /usr/sbin, and /usr/local/sbin to
       the default path.
   * Use ${binary:Version} rather than ${Source-Version} in openssh-server ->
     openssh-client dependency.
Files: 
 274b1d5892e3805fc6cf02b4bcbae0d4 1062 net standard openssh_4.6p1-1.dsc
 cee58cd226138191561fa2d484e18f49 946439 net standard openssh_4.6p1.orig.tar.gz
 e31a11367a77ac6a5293286e463324bf 178464 net standard openssh_4.6p1-1.diff.gz
 6a07b42810cb43825f5bccfef27d050b 1060 net extra ssh_4.6p1-1_all.deb
 7611c62669803ede6d8873172807daa6 78884 net extra ssh-krb5_4.6p1-1_all.deb
 b410989a5fec7a9bb28040ae06805a2b 687032 net standard openssh-client_4.6p1-1_powerpc.deb
 eb67e9f21b381580a36a96e492e88479 257292 net optional openssh-server_4.6p1-1_powerpc.deb
 8e23b1d093801f6caef9472eb8a84eab 88536 gnome optional ssh-askpass-gnome_4.6p1-1_powerpc.deb
 efc9ed4c7588942ed0ab42c5626ba523 173176 debian-installer optional openssh-client-udeb_4.6p1-1_powerpc.udeb
 d5eb39406e06da0896e23a60c9d48089 179456 debian-installer optional openssh-server-udeb_4.6p1-1_powerpc.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFGbzCf9t0zAhD6TNERAmG1AJ96GA3o1U0f6u/gN9PlPhqdwwigCQCfTqmo
3RySlNDddnYbYP+sdo0jr9w=
=H7r5
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: