Bug#387376: marked as done (ssh: Can't have different host keys for different ports but same address (NAT))
Your message dated Wed, 13 Jun 2007 00:02:51 +0000
with message-id <E1HyGK3-0001D3-K2@ries.debian.org>
and subject line Bug#50612: fixed in openssh 1:4.6p1-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ssh: Can't have different host keys for different ports but same address (NAT)
- From: Helge Hafting <helgehaf@aitel.hist.no>
- Date: Thu, 14 Sep 2006 01:40:25 +0200
- Message-id: <20060913234025.31513.30237.reportbug@hh.aitel.hist.no>
Package: ssh
Version: 1:4.3p2-3
Severity: normal
I have several PCs behind a NAT firewall.
I want to be able to ssh into any of them, going via a single
one is bad because I can't know which ones are up in advance.
So the NAT router forwards various ports to the different servers.
Unfortunately, ssh always check the hostkey against the IP
address only, and so it thinks there is a man-in-the-middle
attack when I try the second pc instead of the first.
Because then the key changes, but the ip address seems to not change.
But it really is another PC, because the port is different
and therefore forwarded to a different PC.
I appreciate the host key checking, but:
It should not be tied to ip address alone, it should
be tied to the ip:port pair.  That will keep the security,
but now <same ip:differnet port> will be allowed to have
different host keys.  <same ip:same port> will still not be allowed
to change its key.
I am not sure using the same host key everywhere will be good,
if one PC is compromised, then all is . . .
-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (800, 'stable'), (700, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-rc6-mm2
Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8)
Versions of packages ssh depends on:
ii  openssh-client                1:4.3p2-3  Secure shell client, an rlogin/rsh
ii  openssh-server                1:4.3p2-3  Secure shell server, an rshd repla
ssh recommends no packages.
-- debconf-show failed
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:4.6p1-1
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_4.6p1-1_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.6p1-1_powerpc.udeb
openssh-client_4.6p1-1_powerpc.deb
  to pool/main/o/openssh/openssh-client_4.6p1-1_powerpc.deb
openssh-server-udeb_4.6p1-1_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.6p1-1_powerpc.udeb
openssh-server_4.6p1-1_powerpc.deb
  to pool/main/o/openssh/openssh-server_4.6p1-1_powerpc.deb
openssh_4.6p1-1.diff.gz
  to pool/main/o/openssh/openssh_4.6p1-1.diff.gz
openssh_4.6p1-1.dsc
  to pool/main/o/openssh/openssh_4.6p1-1.dsc
openssh_4.6p1.orig.tar.gz
  to pool/main/o/openssh/openssh_4.6p1.orig.tar.gz
ssh-askpass-gnome_4.6p1-1_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.6p1-1_powerpc.deb
ssh-krb5_4.6p1-1_all.deb
  to pool/main/o/openssh/ssh-krb5_4.6p1-1_all.deb
ssh_4.6p1-1_all.deb
  to pool/main/o/openssh/ssh_4.6p1-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 50612@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 13 Jun 2007 00:28:26 +0100
Source: openssh
Binary: ssh-askpass-gnome ssh-krb5 openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.6p1-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell server, an rshd replacement
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (transitional package)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 50612 88337 99675 103677 122188 257524 307890 319639 333447 369964 389038 395507 397961 408027 410599 420035
Changes: 
 openssh (1:4.6p1-1) unstable; urgency=low
 .
   * New upstream release (closes: #395507, #397961, #420035). Important
     changes not previously backported to 4.3p2:
     - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
       + On portable OpenSSH, fix a GSSAPI authentication abort that could be
         used to determine the validity of usernames on some platforms.
       + Implemented conditional configuration in sshd_config(5) using the
         "Match" directive. This allows some configuration options to be
         selectively overridden if specific criteria (based on user, group,
         hostname and/or address) are met. So far a useful subset of
         post-authentication options are supported and more are expected to
         be added in future releases.
       + Add support for Diffie-Hellman group exchange key agreement with a
         final hash of SHA256.
       + Added a "ForceCommand" directive to sshd_config(5). Similar to the
         command="..." option accepted in ~/.ssh/authorized_keys, this forces
         the execution of the specified command regardless of what the user
         requested. This is very useful in conjunction with the new "Match"
         option.
       + Add a "PermitOpen" directive to sshd_config(5). This mirrors the
         permitopen="..." authorized_keys option, allowing fine-grained
         control over the port-forwardings that a user is allowed to
         establish.
       + Add optional logging of transactions to sftp-server(8).
       + ssh(1) will now record port numbers for hosts stored in
         ~/.ssh/known_hosts when a non-standard port has been requested
         (closes: #50612).
       + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
         non-zero exit code) when requested port forwardings could not be
         established.
       + Extend sshd_config(5) "SubSystem" declarations to allow the
         specification of command-line arguments.
       + Replacement of all integer overflow susceptible invocations of
         malloc(3) and realloc(3) with overflow-checking equivalents.
       + Many manpage fixes and improvements.
       + Add optional support for OpenSSL hardware accelerators (engines),
         enabled using the --with-ssl-engine configure option.
       + Tokens in configuration files may be double-quoted in order to
         contain spaces (closes: #319639).
       + Move a debug() call out of a SIGCHLD handler, fixing a hang when the
         session exits very quickly (closes: #307890).
       + Fix some incorrect buffer allocation calculations (closes: #410599).
       + ssh-add doesn't ask for a passphrase if key file permissions are too
         liberal (closes: #103677).
       + Likewise, ssh doesn't ask either (closes: #99675).
     - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
       + sshd now allows the enabling and disabling of authentication methods
         on a per user, group, host and network basis via the Match directive
         in sshd_config.
       + Fixed an inconsistent check for a terminal when displaying scp
         progress meter (closes: #257524).
       + Fix "hang on exit" when background processes are running at the time
         of exit on a ttyful/login session (closes: #88337).
   * Update to current GSSAPI patch from
     http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
     install ChangeLog.gssapi.
   * Build the .deb --with-ssl-engine (closes: #408027, LP: #119295).
   * Use LSB functions in init scripts, and add an LSB-style header (partly
     from Ubuntu and partly thanks to Christian Perrier; closes: #389038).
   * Move init script start links to S16, move rc1 stop link to K84, and
     remove rc0 and rc6 stop links altogether (the last part from Ubuntu;
     closes: #122188).
   * Emit a slightly more informative message from the init script if
     /dev/null has somehow become not a character device (closes: #369964).
   * Belatedly build-depend on zlib1g-dev (>= 1:1.2.3-1) (closes: #333447).
   * Merge from Ubuntu:
     - Build position-independent executables (only for debs, not for udebs)
       to take advantage of address space layout randomisation.
     - If building on Ubuntu, add /sbin, /usr/sbin, and /usr/local/sbin to
       the default path.
   * Use ${binary:Version} rather than ${Source-Version} in openssh-server ->
     openssh-client dependency.
Files: 
 274b1d5892e3805fc6cf02b4bcbae0d4 1062 net standard openssh_4.6p1-1.dsc
 cee58cd226138191561fa2d484e18f49 946439 net standard openssh_4.6p1.orig.tar.gz
 e31a11367a77ac6a5293286e463324bf 178464 net standard openssh_4.6p1-1.diff.gz
 6a07b42810cb43825f5bccfef27d050b 1060 net extra ssh_4.6p1-1_all.deb
 7611c62669803ede6d8873172807daa6 78884 net extra ssh-krb5_4.6p1-1_all.deb
 b410989a5fec7a9bb28040ae06805a2b 687032 net standard openssh-client_4.6p1-1_powerpc.deb
 eb67e9f21b381580a36a96e492e88479 257292 net optional openssh-server_4.6p1-1_powerpc.deb
 8e23b1d093801f6caef9472eb8a84eab 88536 gnome optional ssh-askpass-gnome_4.6p1-1_powerpc.deb
 efc9ed4c7588942ed0ab42c5626ba523 173176 debian-installer optional openssh-client-udeb_4.6p1-1_powerpc.udeb
 d5eb39406e06da0896e23a60c9d48089 179456 debian-installer optional openssh-server-udeb_4.6p1-1_powerpc.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFGbzCf9t0zAhD6TNERAmG1AJ96GA3o1U0f6u/gN9PlPhqdwwigCQCfTqmo
3RySlNDddnYbYP+sdo0jr9w=
=H7r5
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: