--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ssh-agent: monotonic clock for key lifetime produces unexpected results on laptops
- From: Mattthew Gabeler-Lee <cheetah@fastcat.org>
- Date: Wed, 08 Jan 2014 00:13:13 -0500
- Message-id: <20140108051313.18485.23922.reportbug@bengal.lo>
Package: openssh-client
Version: 1:6.4p1-2
Severity: normal
The ssh-agent program I discovered uses the CLOCK_MONOTONIC for determining
key expiration. I'm not sure if this is new, or if the kernel/libc changed
something in a recent update, or if I simply didn't notice this before, but
I've found it produces some rather unexpected behavior on laptops that go to
sleep.
Example: I'm going to work remotely on a Friday. I ssh-add -t $((3600*8))
to have the key expire after my work day completes. I finish after only 6
hours of work, however, and so I put the laptop to sleep. I wake it up
Monday morning after it's been asleep for over 48 hours, and find that the
key is still in the agent, and will be for 2 hours!
According to some googling and reading, CLOCK_MONOTONIC is not /supposed/ to
work this way regarding suspend time according to the pec, but it seems like
it long (always) has in the Linux kernel (c.f.
https://lkml.org/lkml/2014/1/1/57 and surrounding thread).
PS: $ uname -a
Linux bengal 3.11-2-amd64 #1 SMP Debian 3.11.10-1 (2013-12-04) x86_64 GNU/Linux
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-client depends on:
ii adduser 3.113+nmu3
ii dpkg 1.17.5
ii libc6 2.17-97
ii libedit2 3.1-20130712-2
ii libgssapi-krb5-2 1.11.3+dfsg-3+nmu1
ii libselinux1 2.2.1-1
ii libssl1.0.0 1.0.1e-6
ii passwd 1:4.1.5.1-1
ii zlib1g 1:1.2.8.dfsg-1
Versions of packages openssh-client recommends:
ii xauth 1:1.0.7-1
Versions of packages openssh-client suggests:
pn keychain <none>
pn libpam-ssh <none>
pn monkeysphere <none>
ii openssh-blacklist 0.4.1+nmu1
ii openssh-blacklist-extra 0.4.1+nmu1
ii ssh-askpass-fullscreen [ssh-askpass] 0.3-3.1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:6.7p1-1
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 734553@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 09 Oct 2014 14:05:56 +0100
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:6.7p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 236718 734553
Changes:
openssh (1:6.7p1-1) unstable; urgency=medium
.
* New upstream release (http://www.openssh.com/txt/release-6.7):
- sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour* are
disabled by default. The full set of algorithms remains available if
configured explicitly via the Ciphers and MACs sshd_config options.
- ssh(1), sshd(8): Add support for Unix domain socket forwarding. A
remote TCP port may be forwarded to a local Unix domain socket and
vice versa or both ends may be a Unix domain socket (closes: #236718).
- ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519
key types.
- sftp(1): Allow resumption of interrupted uploads.
- ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is
the same as the one sent during initial key exchange.
- sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses
when GatewayPorts=no; allows client to choose address family.
- sshd(8): Add a sshd_config PermitUserRC option to control whether
~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
option.
- ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that
expands to a unique identifer based on a hash of the tuple of (local
host, remote user, hostname, port). Helps avoid exceeding miserly
pathname limits for Unix domain sockets in multiplexing control paths.
- sshd(8): Make the "Too many authentication failures" message include
the user, source address, port and protocol in a format similar to the
authentication success / failure messages.
- Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
available. It considers time spent suspended, thereby ensuring
timeouts (e.g. for expiring agent keys) fire correctly (closes:
#734553).
- Use prctl() to prevent sftp-server from accessing
/proc/self/{mem,maps}.
* Restore TCP wrappers support, removed upstream in 6.7. It is true that
dropping this reduces preauth attack surface in sshd. On the other
hand, this support seems to be quite widely used, and abruptly dropping
it (from the perspective of users who don't read openssh-unix-dev) could
easily cause more serious problems in practice. It's not entirely clear
what the right long-term answer for Debian is, but it at least probably
doesn't involve dropping this feature shortly before a freeze.
* Replace patch to disable OpenSSL version check with an updated version
of Kurt Roeckx's patch from #732940 to just avoid checking the status
field.
* Build-depend on a new enough dpkg-dev for dpkg-buildflags, rather than
simply a new enough dpkg.
* Simplify debian/rules using /usr/share/dpkg/buildflags.mk.
* Use Package-Type rather than XC-Package-Type, now that it is an official
field.
* Run a subset of the upstream regression test suite at package build
time, and the rest of it under autopkgtest.
Checksums-Sha1:
432b4f60be0d6689db6d729a242832949f1736e1 2737 openssh_6.7p1-1.dsc
14e5fbed710ade334d65925e080d1aaeb9c85bf6 1351367 openssh_6.7p1.orig.tar.gz
0c2a6f1890418afec40e77574c4ab36bbc5c6636 146236 openssh_6.7p1-1.debian.tar.xz
c4b5841fc93fff6e980b16ed62e02b771ae8ae85 748150 openssh-client_6.7p1-1_i386.deb
fa2be96c67a06e2fb784c8bbc03acd14c40efee9 368586 openssh-server_6.7p1-1_i386.deb
e553223a27503101fabe29db196254e6a1781a71 42744 openssh-sftp-server_6.7p1-1_i386.deb
dcc3995c353b6212139a36fde77352a47e787e65 118890 ssh_6.7p1-1_all.deb
0ae5b8674b11717dd1fd3eab6274248a46004965 118708 ssh-krb5_6.7p1-1_all.deb
8e2dbb5afa2af97e4910d296c05e86456036a387 126526 ssh-askpass-gnome_6.7p1-1_i386.deb
06259df5aa27a3f159c3a82c68fd4e0c0b607eb5 265248 openssh-client-udeb_6.7p1-1_i386.udeb
5f655b93386f6b49fa5e040b4f70739d94160835 292376 openssh-server-udeb_6.7p1-1_i386.udeb
Checksums-Sha256:
43bf6648c00aafbe3d435957977b6438bcfc01847fe4225822f85f29db55f565 2737 openssh_6.7p1-1.dsc
b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507 1351367 openssh_6.7p1.orig.tar.gz
a88f23aa65eb504a6e27dbf68a24ee99d7402b736982f93dba636d31198cc62d 146236 openssh_6.7p1-1.debian.tar.xz
a5a92bbe55e6f2bc47f2d7485efa31c7e8fc3e92e0929625cea7958b33895728 748150 openssh-client_6.7p1-1_i386.deb
7f80665b507ddb7466706a14efdae31e38f46dfd9a681bcd5f737db194ca4875 368586 openssh-server_6.7p1-1_i386.deb
975066291f0e31357b2ee6e490d922bdbf3ff550ac29eae770ec8fdce72af53a 42744 openssh-sftp-server_6.7p1-1_i386.deb
4416339947c551ae7358d0583dc0c85031de12ece8d9c5ca636891323b089d5e 118890 ssh_6.7p1-1_all.deb
041c859808016cfd2d626b9f8ec011643bd5a5655dd2dd3873b990ea036cc153 118708 ssh-krb5_6.7p1-1_all.deb
3f991cd5a7220fe8b4d2c335b4a14230ae8582fa35420f2704ab04ede51b8c3f 126526 ssh-askpass-gnome_6.7p1-1_i386.deb
1c1ebcb572d56b75fd44bf50d3e232f061c7cd30ed8a6536338f7bd43b3613ef 265248 openssh-client-udeb_6.7p1-1_i386.udeb
c71b44a848bb7f08982af1ca18d06255a75b43efd45c04cad6c826f5d59db736 292376 openssh-server-udeb_6.7p1-1_i386.udeb
Files:
e867bfe76227ac6bdad2308a0f54e0b7 2737 net standard openssh_6.7p1-1.dsc
3246aa79317b1d23cae783a3bf8275d6 1351367 net standard openssh_6.7p1.orig.tar.gz
26ee6aaddc210157a822cc7bb65f79dd 146236 net standard openssh_6.7p1-1.debian.tar.xz
7709323e0c5ee8e514eacf4c65e47797 748150 net standard openssh-client_6.7p1-1_i386.deb
ca6ad627a00b3ce0c0caf3e168a33f3f 368586 net optional openssh-server_6.7p1-1_i386.deb
c4fcb98f5fd50a52d4581fa45e4770be 42744 net optional openssh-sftp-server_6.7p1-1_i386.deb
b3b7c40c3492a975fb85b766ef3fba93 118890 net extra ssh_6.7p1-1_all.deb
6ba982c5a81d8a5edfe6834f52553749 118708 oldlibs extra ssh-krb5_6.7p1-1_all.deb
8d243dcea350afef2d0f76f89118d5ca 126526 gnome optional ssh-askpass-gnome_6.7p1-1_i386.deb
36899d041f2462cb9f6706f68b8c3a3d 265248 debian-installer optional openssh-client-udeb_6.7p1-1_i386.udeb
d13ee9f17fee08edcbe6c48473c0f84c 292376 debian-installer optional openssh-server-udeb_6.7p1-1_i386.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iQIVAwUBVDaYGjk1h9l9hlALAQhn6g/8DdqwDCLrFMttxSrIasisWksZo1Im6W7L
6Xsz1UVb8necgl0ERd3oDozrrWGHNBEDv2jjVOM4W87NLxbP8+90PRWue/cD4O8n
XGeMXoshBxiknBWKeTvaNPQdm3bT3/sYUi9Xg886QY+nbmGstiVr5ygLlmM+wY0A
29e9N7iQ/hRh564wGFZ1SEe8POEP0AqODWx8rUUpgugSRFRKbGsI51/R3eEoy+FW
BKmIy5MKU+ynw8y59r9ROQbNFKGoSG4sauqpWNDrIuujVArZapDe/ecrxgEkFMqq
tHKsOc9e6xRarvIPJuwCpMqshsEJnbgJMSsVOwQBj/DMP9XGXEBcael5So0jxeuZ
pKZKN+YLNTwfvHnptyaGbR3chP2lX94mxZZJzVquefFI2GqWB0JCTS0QQxeNcV2P
Y+2K6ZsE57KUprV6cAvHKftoxGKoXMxrEkNhsYXSr1h0DihC9gMbvqrifntR6YUh
yzTAiVhbty23qzw5NruOsnovhk/xJbYui6cMdo/CJoM/OppxNLx4OVgi3Li77ZB4
0IeIs3WNdhMpF7oKkW/GpD/bLeVNoo7c9/RZgNu+t7qGw0MN1tw+V/4OPCAmw47q
HZ+VWEm6Tny5xFtVjxQJWj2zFyW+z7NVifQewurN1AuOsgkoPAAyYA8GXlTSgVTc
jBt0yObMzSk=
=FUhx
-----END PGP SIGNATURE-----
--- End Message ---