Bug#579570: openssh-server: bla

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#579570: openssh-server: bla
From: Axel Beckert <abe@debian.org>
Date: Wed, 28 Apr 2010 19:26:28 +0200 (CEST)
Message-id: <[🔎] 20100428172628.BF0AC2E818E@kiva6.ethz.ch>
Reply-to: Axel Beckert <abe@debian.org>, 579570@bugs.debian.org

Subject: openssh-server: asks for (empty) "old passphrase" on upgrade
Package: openssh-server
Version: 1:5.5p1-2
Severity: normal

When upgrading one of my Squeeze boxes, openssh-server 1:5.3p1-3 got
replaced by 1:5.5p1-2. The postinst script then asked me for an old
passphrase:

[...]
Setting up openssh-server (1:5.5p1-2) ...
Installing new version of config file /etc/init.d/ssh ...
Installing new version of config file /etc/default/ssh ...
Enter old passphrase: 
dpkg: error processing openssh-server (--configure):
 subprocess installed post-installation script killed by signal (Interrupt)
[...]
Errors were encountered while processing:
 openssh-server
E: Sub-process /usr/bin/dpkg returned an error code (1)
A package failed to install.  Trying to recover:
Setting up openssh-server (1:5.5p1-2) ...
Enter old passphrase: 
dpkg: error processing openssh-server (--configure):
 subprocess installed post-installation script killed by signal (Interrupt)
Errors were encountered while processing:
 openssh-server
[...]

In the above case I just pressed Ctrl-C since it was not obvious what
kind of passphrase would have been needed.

Adding set -x to the postinst script revealed that it 

+ check_idea_key
+ [ -f /etc/ssh/ssh_host_key ]
+ cp -a /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.check_idea
+ grep -q unknown cipher
+ ssh-keygen -p -N  -f /etc/ssh/ssh_host_key.check_idea
Enter old passphrase: 
+ rm -f /etc/ssh/ssh_host_key.check_idea
+ create_keys
+ host_keys_required
+ get_config_option HostKey
+ option=HostKey

The corresponding line in the postinst script is line 30:

30                if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key.check_idea 2>&1 | \
31                                grep -q 'unknown cipher' 2>/dev/null; then

I currently have no idea why the -p option is needed here. Wouldn't it
prompt for a passphrase anyway if one would be necessary? Especially
since the hostkeys usually don't have a passphrase, prompting should
only happen if the key does have a passphrase. Explicitly prompting
for one breaks all unattended upgrades.

After I knew that the questioned passphrase is the one of a host key,
I just pressed Enter and the upgrade continued and successfully
finished.

It is indeed possible that this box had ancient host keys as they were
always transferred to the new hardware when  the hostname moved to
other hardware.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i586)

Kernel: Linux 2.6.32-3-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser                 3.112            add and remove users and groups
ii  debconf [debconf-2.0]   1.5.32           Debian configuration management sy
ii  dpkg                    1.15.5.6         Debian package management system
ii  libc6                   2.10.2-6         Embedded GNU C Library: Shared lib
ii  libcomerr2              1.41.11-1        common error description library
ii  libgssapi-krb5-2        1.8.1+dfsg-2     MIT Kerberos runtime libraries - k
ii  libkrb5-3               1.8.1+dfsg-2     MIT Kerberos runtime libraries
ii  libpam-modules          1.1.1-2          Pluggable Authentication Modules f
ii  libpam-runtime          1.1.1-2          Runtime support for the PAM librar
ii  libpam0g                1.1.1-2          Pluggable Authentication Modules l
ii  libselinux1             2.0.94-1         SELinux runtime shared libraries
ii  libssl0.9.8             0.9.8n-1         SSL shared libraries
ii  libwrap0                7.6.q-18         Wietse Venema's TCP wrappers libra
ii  lsb-base                3.2-23           Linux Standard Base 3.2 init scrip
ii  openssh-blacklist       0.4.1            list of default blacklisted OpenSS
ii  openssh-client          1:5.5p1-2        secure shell (SSH) client, for sec
ii  procps                  1:3.2.8-8        /proc file system utilities
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)
pn  ufw                           <none>     (no description available)

-- debconf information:
* ssh/use_old_init_script: true
  ssh/vulnerable_host_keys:
  ssh/encrypted_host_key_but_no_keygen:
  ssh/disable_cr_auth: false

Reply to:

Follow-Ups:
- Bug#579570: openssh-server: bla (now: openssh-server: asks for (empty) "old passphrase" on upgrade)
  - From: Axel Beckert <abe@debian.org>
- Bug#579570: marked as done (openssh-server: asks for (empty) "old passphrase" on upgrade)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: Re: Bug#579570: openssh-server: bla (now: openssh-server: asks for (empty) "old passphrase" on upgrade)
Next by Date: Bug#579570: openssh-server: bla (now: openssh-server: asks for (empty) "old passphrase" on upgrade)
Previous by thread: openssh 1:5.5p1-2 MIGRATED to testing
Next by thread: Bug#579570: openssh-server: bla (now: openssh-server: asks for (empty) "old passphrase" on upgrade)
Index(es):
- Date
- Thread