Bug#606922: closed by Colin Watson <cjwatson@debian.org> (Re: Bug#606922: jpake not enabled in sid)

[Michael Gilbert <michael.s.gilbert@gmail.com>]

reopen 606922
thanks

> That's correct.  It's disabled upstream and we haven't enabled it.  I
> have no intention of enabling it until upstream say it's OK to do so
> (which will probably consist of enabling it by default).
>
> Here's the upstream commit message:
>
>   - djm@cvs.openbsd.org 2010/09/20 04:50:53
>     [jpake.c schnorr.c]
>     check that received values are smaller than the group size in the
>     disabled and unfinished J-PAKE code.
>     avoids catastrophic security failure found by Sebastien Martini
>
> Michael, thanks for the heads-up, but I don't see any need to spend time
> backporting this.  Anyone who goes in, enables this against the advice
> of upstream, and deploys it on a publicly-visible system deserves what
> they get!  If you're going to use experimental authentication modes,
> then you at least need to use current CVS HEAD.
>
> I'm closing this bug, and I recommend the security team mark it as "no
> fix needed".

I apologize ahead of time for the bts ping pong, but according to the
build log (which is where I checked for my original bug report) jpake
is indeed built.

$ debuild | grep jpake

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-strict-aliasing
-fno-builtin-memset -fstack-protector-all -O2   -fPIE
-fstack-protector  -D_FORTIFY_SOURCE=2  -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT
-DSSH_EXTRAVERSION=\"Debian-5\"  -I. -I..     -DSSHDIR=\"/etc/ssh\"
-D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/bin/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\"
-D_PATH_SSH_DATADIR=\"/usr/share/ssh\" -DHAVE_CONFIG_H -c ../jpake.c
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-strict-aliasing
-fno-builtin-memset -fstack-protector-all -O2   -fPIE
-fstack-protector  -D_FORTIFY_SOURCE=2  -Wformat -Wformat-security
-DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT
-DSSH_EXTRAVERSION=\"Debian-5\"  -I. -I..     -DSSHDIR=\"/etc/ssh\"
-D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/bin/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\"
-D_PATH_SSH_DATADIR=\"/usr/share/ssh\" -DHAVE_CONFIG_H -c
../auth2-jpake.c
/usr/bin/ar rv libssh.a acss.o authfd.o authfile.o bufaux.o bufbn.o
buffer.o canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o compat.o compress.o
crc32.o deattack.o fatal.o hostfile.o log.o match.o md-sha256.o
moduli.o nchan.o packet.o readpass.o rsa.o ttymodes.o xmalloc.o
addrmatch.o atomicio.o key.o dispatch.o kex.o mac.o uidswap.o
uuencode.o misc.o monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o
kexdh.o kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o
entropy.o gss-genr.o umac.o jpake.o schnorr.o ssh-pkcs11.o kexgssc.o
a - jpake.o
gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o
auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o
auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o
groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o
auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o
auth2-jpake.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o
auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o
audit-bsm.o platform.o sftp-server.o sftp-common.o roaming_common.o
roaming_serv.o -L. -Lopenbsd-compat/  -fstack-protector-all
-Wl,--as-needed -fPIE -pie -Wl,-z,relro -Wl,-z,now -lssh
-lopenbsd-compat -lwrap -lpam -lselinux -lcrypto -ldl -lutil -lz -lnsl
 -lcrypt -lresolv -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wno-pointer-sign -Wformat-security
-fno-strict-aliasing -fno-builtin-memset -fstack-protector-all -O2
-fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-DLOGIN_PROGRAM="/bin/login" -DLOGIN_NO_ENDOPT
-DSSH_EXTRAVERSION="Debian-5" -lgssapi_krb5 -lkrb5 -lk5crypto
-lcom_err
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-strict-aliasing
-fno-builtin-memset -fstack-protector-all -Os
-DSSH_EXTRAVERSION=\"Debian-5\"  -I. -I..  -DSSHDIR=\"/etc/ssh\"
-D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/bin/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\"
-D_PATH_SSH_DATADIR=\"/usr/share/ssh\" -DHAVE_CONFIG_H -c ../jpake.c
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-strict-aliasing
-fno-builtin-memset -fstack-protector-all -Os
-DSSH_EXTRAVERSION=\"Debian-5\"  -I. -I..  -DSSHDIR=\"/etc/ssh\"
-D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/bin/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\"
-D_PATH_SSH_DATADIR=\"/usr/share/ssh\" -DHAVE_CONFIG_H -c
../auth2-jpake.c
/usr/bin/ar rv libssh.a acss.o authfd.o authfile.o bufaux.o bufbn.o
buffer.o canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o compat.o compress.o
crc32.o deattack.o fatal.o hostfile.o log.o match.o md-sha256.o
moduli.o nchan.o packet.o readpass.o rsa.o ttymodes.o xmalloc.o
addrmatch.o atomicio.o key.o dispatch.o kex.o mac.o uidswap.o
uuencode.o misc.o monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o
kexdh.o kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o
entropy.o gss-genr.o umac.o jpake.o schnorr.o ssh-pkcs11.o kexgssc.o
a - jpake.o
gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o
auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o
auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o
groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o
auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o
auth2-jpake.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o
auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o
audit-bsm.o platform.o sftp-server.o sftp-common.o roaming_common.o
roaming_serv.o -L. -Lopenbsd-compat/  -fstack-protector-all
-Wl,--as-needed -lssh -lopenbsd-compat  -lcrypto -ldl -lutil -lz
-lcrypt -lresolv