Bug#579570: marked as done (openssh-server: asks for (empty) "old passphrase" on upgrade)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 28 Apr 2010 22:06:24 +0000
with message-id <E1O7FOi-0000Zv-2O@ries.debian.org>
and subject line Bug#579570: fixed in openssh 1:5.5p1-3
has caused the Debian Bug report #579570,
regarding openssh-server: asks for (empty) "old passphrase" on upgrade
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
579570: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579570
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh-server: bla
• From: Axel Beckert <abe@debian.org>
• Date: Wed, 28 Apr 2010 19:26:28 +0200 (CEST)
• Message-id: <[🔎] 20100428172628.BF0AC2E818E@kiva6.ethz.ch>

Subject: openssh-server: asks for (empty) "old passphrase" on upgrade
Package: openssh-server
Version: 1:5.5p1-2
Severity: normal

When upgrading one of my Squeeze boxes, openssh-server 1:5.3p1-3 got
replaced by 1:5.5p1-2. The postinst script then asked me for an old
passphrase:

[...]
Setting up openssh-server (1:5.5p1-2) ...
Installing new version of config file /etc/init.d/ssh ...
Installing new version of config file /etc/default/ssh ...
Enter old passphrase: 
dpkg: error processing openssh-server (--configure):
 subprocess installed post-installation script killed by signal (Interrupt)
[...]
Errors were encountered while processing:
 openssh-server
E: Sub-process /usr/bin/dpkg returned an error code (1)
A package failed to install.  Trying to recover:
Setting up openssh-server (1:5.5p1-2) ...
Enter old passphrase: 
dpkg: error processing openssh-server (--configure):
 subprocess installed post-installation script killed by signal (Interrupt)
Errors were encountered while processing:
 openssh-server
[...]

In the above case I just pressed Ctrl-C since it was not obvious what
kind of passphrase would have been needed.

Adding set -x to the postinst script revealed that it 

+ check_idea_key
+ [ -f /etc/ssh/ssh_host_key ]
+ cp -a /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.check_idea
+ grep -q unknown cipher
+ ssh-keygen -p -N  -f /etc/ssh/ssh_host_key.check_idea
Enter old passphrase: 
+ rm -f /etc/ssh/ssh_host_key.check_idea
+ create_keys
+ host_keys_required
+ get_config_option HostKey
+ option=HostKey

The corresponding line in the postinst script is line 30:

30                if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key.check_idea 2>&1 | \
31                                grep -q 'unknown cipher' 2>/dev/null; then

I currently have no idea why the -p option is needed here. Wouldn't it
prompt for a passphrase anyway if one would be necessary? Especially
since the hostkeys usually don't have a passphrase, prompting should
only happen if the key does have a passphrase. Explicitly prompting
for one breaks all unattended upgrades.

After I knew that the questioned passphrase is the one of a host key,
I just pressed Enter and the upgrade continued and successfully
finished.

It is indeed possible that this box had ancient host keys as they were
always transferred to the new hardware when  the hostname moved to
other hardware.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i586)

Kernel: Linux 2.6.32-3-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser                 3.112            add and remove users and groups
ii  debconf [debconf-2.0]   1.5.32           Debian configuration management sy
ii  dpkg                    1.15.5.6         Debian package management system
ii  libc6                   2.10.2-6         Embedded GNU C Library: Shared lib
ii  libcomerr2              1.41.11-1        common error description library
ii  libgssapi-krb5-2        1.8.1+dfsg-2     MIT Kerberos runtime libraries - k
ii  libkrb5-3               1.8.1+dfsg-2     MIT Kerberos runtime libraries
ii  libpam-modules          1.1.1-2          Pluggable Authentication Modules f
ii  libpam-runtime          1.1.1-2          Runtime support for the PAM librar
ii  libpam0g                1.1.1-2          Pluggable Authentication Modules l
ii  libselinux1             2.0.94-1         SELinux runtime shared libraries
ii  libssl0.9.8             0.9.8n-1         SSL shared libraries
ii  libwrap0                7.6.q-18         Wietse Venema's TCP wrappers libra
ii  lsb-base                3.2-23           Linux Standard Base 3.2 init scrip
ii  openssh-blacklist       0.4.1            list of default blacklisted OpenSS
ii  openssh-client          1:5.5p1-2        secure shell (SSH) client, for sec
ii  procps                  1:3.2.8-8        /proc file system utilities
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)
pn  ufw                           <none>     (no description available)

-- debconf information:
* ssh/use_old_init_script: true
  ssh/vulnerable_host_keys:
  ssh/encrypted_host_key_but_no_keygen:
  ssh/disable_cr_auth: false

--- End Message ---

--- Begin Message ---

• To: 579570-close@bugs.debian.org
• Subject: Bug#579570: fixed in openssh 1:5.5p1-3
• From: Colin Watson <cjwatson@debian.org>
• Date: Wed, 28 Apr 2010 22:06:24 +0000
• Message-id: <E1O7FOi-0000Zv-2O@ries.debian.org>

Source: openssh
Source-Version: 1:5.5p1-3

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_5.5p1-3_i386.udeb
  to main/o/openssh/openssh-client-udeb_5.5p1-3_i386.udeb
openssh-client_5.5p1-3_i386.deb
  to main/o/openssh/openssh-client_5.5p1-3_i386.deb
openssh-server-udeb_5.5p1-3_i386.udeb
  to main/o/openssh/openssh-server-udeb_5.5p1-3_i386.udeb
openssh-server_5.5p1-3_i386.deb
  to main/o/openssh/openssh-server_5.5p1-3_i386.deb
openssh_5.5p1-3.debian.tar.gz
  to main/o/openssh/openssh_5.5p1-3.debian.tar.gz
openssh_5.5p1-3.dsc
  to main/o/openssh/openssh_5.5p1-3.dsc
ssh-askpass-gnome_5.5p1-3_i386.deb
  to main/o/openssh/ssh-askpass-gnome_5.5p1-3_i386.deb
ssh-krb5_5.5p1-3_all.deb
  to main/o/openssh/ssh-krb5_5.5p1-3_all.deb
ssh_5.5p1-3_all.deb
  to main/o/openssh/ssh_5.5p1-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 579570@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 28 Apr 2010 22:12:47 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:5.5p1-3
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 579285 579570
Changes: 
 openssh (1:5.5p1-3) unstable; urgency=low
 .
   * Discard error messages while checking whether rsh, rlogin, and rcp
     alternatives exist (closes: #579285).
   * Drop IDEA key check; I don't think it works properly any more due to
     textual changes in error output, it's only relevant for direct upgrades
     from truly ancient versions, and it breaks upgrades if
     /etc/ssh/ssh_host_key can't be loaded (closes: #579570).
Checksums-Sha1: 
 9483c9e18247f709ee9f23bde7142b5b909ba749 1690 openssh_5.5p1-3.dsc
 c489f846c8455a4a65d2fa08c47b572bc7e57872 233257 openssh_5.5p1-3.debian.tar.gz
 583a5a70f1a0f98e71dd37320d02b9536e999f8b 877882 openssh-client_5.5p1-3_i386.deb
 3cdc928f499170c242d6a1e40de2e4abe438ee8d 297146 openssh-server_5.5p1-3_i386.deb
 892fdcd2477e255b783fcf213da5c22ff1dbb7e2 1246 ssh_5.5p1-3_all.deb
 71d17bc92055f1292b4b70f53a51a43a982cf545 95214 ssh-krb5_5.5p1-3_all.deb
 5b1455a34ad5c4f00e587198717738d001667d90 102802 ssh-askpass-gnome_5.5p1-3_i386.deb
 3aa748edfa97a545478163ef45427249ab40864b 193248 openssh-client-udeb_5.5p1-3_i386.udeb
 c20c02e4f37b31e5463a3fd638c6ec08e71329c4 218154 openssh-server-udeb_5.5p1-3_i386.udeb
Checksums-Sha256: 
 e009d638279e4ba046c8ab67ae91049082eaa0c6cce675774df1f1c5649705b2 1690 openssh_5.5p1-3.dsc
 37120b484a33a8644ac6c7c232ed936943a2faedf22f7f103f3be89c0e69aad3 233257 openssh_5.5p1-3.debian.tar.gz
 708dbec96290e425057bc996b15f463c5fbb5a92c602d487527e93c1c1c34d67 877882 openssh-client_5.5p1-3_i386.deb
 94bfd92ebf70e580a091e0e13f5cb7b93a2653a877dc3926981b1a2ef698f7c4 297146 openssh-server_5.5p1-3_i386.deb
 2f6502a816393ccd96a0f798ae17b8026678ec274c7cfacc2159730958972571 1246 ssh_5.5p1-3_all.deb
 0f35a541be0508d15c1f64f817bede6d0c2b50e8daf6fe092d2935ae8252ffa3 95214 ssh-krb5_5.5p1-3_all.deb
 97dde99bf148e085c3ffe17e6e678476c6ecc1811317b4a2d47d1cb0f62666db 102802 ssh-askpass-gnome_5.5p1-3_i386.deb
 0dadd2b8f1631c129bad4408dba19aab9f4fbc1736d823b8704d73eb3b5b92fd 193248 openssh-client-udeb_5.5p1-3_i386.udeb
 a2b8299f88bb517d804e388c664303013428772726b957b66c2358e63697a0e7 218154 openssh-server-udeb_5.5p1-3_i386.udeb
Files: 
 a6fafd4a415a66b2f69fc99dac374a9e 1690 net standard openssh_5.5p1-3.dsc
 6b2955362dd8616e08a225666b754581 233257 net standard openssh_5.5p1-3.debian.tar.gz
 4acd4461f9c6ff83b2ca118f9dda9c2a 877882 net standard openssh-client_5.5p1-3_i386.deb
 8f7e39a47029d782e2270d4309490ba3 297146 net optional openssh-server_5.5p1-3_i386.deb
 c812bc528ab8acb0b0a457d4f934e223 1246 net extra ssh_5.5p1-3_all.deb
 e609bbd9e1f032277bad9282911ecea4 95214 net extra ssh-krb5_5.5p1-3_all.deb
 39573ac89160618c0ebcb2b6182e9211 102802 gnome optional ssh-askpass-gnome_5.5p1-3_i386.deb
 346e1a30503b36e5103a4760bec070d1 193248 debian-installer optional openssh-client-udeb_5.5p1-3_i386.udeb
 e3e19ee6eec52bad36b1be94960b6539 218154 debian-installer optional openssh-server-udeb_5.5p1-3_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFL2KcE9t0zAhD6TNERAseHAJ9qo1v/pLDlpPAYwkRgkEgs6IpMrQCeJHaQ
+Dh0D/ADxl13tK5fN8dYfF8=
=zHJO
-----END PGP SIGNATURE-----

--- End Message ---