Bug#481519: marked as done (openssh-server: can not login after update to 4.3p2-9etch1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 17 May 2008 07:40:43 +0100
with message-id <20080517064043.GC16645@riva.ucam.org>
and subject line Re: Bug#481519: openssh-server: can not login after update to 4.3p2-9etch1
has caused the Debian Bug report #481519,
regarding openssh-server: can not login after update to 4.3p2-9etch1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
481519: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481519
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh-server: can not login after update to 4.3p2-9etch1
• From: Rafael Jesus Alcantara Perez <sistemas@dedaloingenieros.com>
• Date: Fri, 16 May 2008 18:43:21 +0200
• Message-id: <[🔎] 20080516164321.12131.63499.reportbug@gemini.dii.loc>

Package: openssh-server
Version: 1:4.3p2-9etch1
Severity: normal

When the machine was upgraded to 4.3p2-9etch1, the installation script found
that the host key was blacklisted. I reinstalled many times the package but
with no success. Finally I ripped some pieces of the postinst script and I
tried to build the key, at least ten times, with again, no sucess. The keys
were newly created but they always were marked as blacklisted. The result
was that I was not able to login on the machine.

Finally, I put the next line on /etc/ssh/sshd_config:

PermitBlacklistedKeys yes

Now it starts saying the next message, but at least, I can login again:

Host key b5:9c:37:1c:42:ec:7e:ee:47:9e:20:dd:23:29:6b:d0 blacklisted (see ssh-vulnkey(1)); continuing anyway
Host key ec:4d:32:92:f6:0e:4b:0d:2b:b0:6f:32:d1:79:fb:64 blacklisted (see ssh-vulnkey(1)); continuing anyway
Restarting OpenBSD Secure Shell server: sshdHost key
b5:9c:37:1c:42:ec:7e:ee:47:9e:20:dd:23:29:6b:d0 blacklisted (see ssh-vulnkey(1)); continuing anyway
Host key ec:4d:32:92:f6:0e:4b:0d:2b:b0:6f:32:d1:79:fb:64 blacklisted (see ssh-vulnkey(1)); continuing anyway
.


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-6-686 (SMP w/2 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  add 3.102                                Add and remove users and groups
ii  deb 1.5.13                               Debian configuration management sy
ii  dpk 1.13.25                              package maintenance system for Deb
ii  lib 2.3.6.ds1-13etch5                    GNU C Library: Shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii  lib 1.4.4-8                              MIT Kerberos runtime libraries
ii  lib 0.79-5                               Pluggable Authentication Modules f
ii  lib 0.79-5                               Runtime support for the PAM librar
ii  lib 0.79-5                               Pluggable Authentication Modules l
ii  lib 1.32-3                               SELinux shared libraries
ii  lib 0.9.8e-4                             SSL shared libraries
ii  lib 7.6.dbs-13                           Wietse Venema's TCP wrappers libra
ii  ope 0.1.1                                list of blacklisted OpenSSH RSA an
ii  ope 1:4.3p2-9etch1                       Secure shell client, an rlogin/rsh
ii  zli 1:1.2.3-13                           compression library - runtime

openssh-server recommends no packages.

-- debconf information:
* ssh/vulnerable_host_keys:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/encrypted_host_key_but_no_keygen:
  ssh/disable_cr_auth: false

--- End Message ---

--- Begin Message ---

• To: 481519-done@bugs.debian.org
• Subject: Re: Bug#481519: openssh-server: can not login after update to 4.3p2-9etch1
• From: Colin Watson <cjwatson@debian.org>
• Date: Sat, 17 May 2008 07:40:43 +0100
• Message-id: <20080517064043.GC16645@riva.ucam.org>
• In-reply-to: <[🔎] 20080516164321.12131.63499.reportbug@gemini.dii.loc>
• References: <[🔎] 20080516164321.12131.63499.reportbug@gemini.dii.loc>

On Fri, May 16, 2008 at 06:43:21PM +0200, Rafael Jesus Alcantara Perez wrote:
> Package: openssh-server
> Version: 1:4.3p2-9etch1
> Severity: normal
> 
> When the machine was upgraded to 4.3p2-9etch1, the installation script found
> that the host key was blacklisted.

Well, I'm sorry, but it is. That key is insecure (I confirmed it by hand
with the fingerprints you gave).

> I reinstalled many times the package but with no success. Finally I
> ripped some pieces of the postinst script and I tried to build the
> key, at least ten times, with again, no sucess. The keys were newly
> created but they always were marked as blacklisted. The result was
> that I was not able to login on the machine.
> 
> Finally, I put the next line on /etc/ssh/sshd_config:
> 
> PermitBlacklistedKeys yes

Now anyone can forge the identity of your machine ...

> ii  lib 0.9.8e-4                             SSL shared libraries

That's a vulnerable version. This probably happened because you're
running Etch but you upgraded libssl0.9.8 to a version from testing or
unstable at some point, which isn't going to work very well. Either
downgrade to 0.9.8c-4etch3 in etch/updates or upgrade to 0.9.8g-10 in
unstable.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---