Package: openssh-server
Version: 1:7.1p2-1
Severity: serious
Justification: Package fails to install
Hi!
In contrast to the default version shipped in the package, my
/etc/ssh/sshd_config doesn't contain a "Protocol" line since I'm happy
with the default (which is '2' according to the man page).
However, openssh-server's postinst contains these linese:
76 host_keys_required() {
77 hostkeys="$(get_config_option HostKey)"
78 if [ "$hostkeys" ]; then
79 echo "$hostkeys"
80 else
81 # No HostKey directives at all, so the server picks some
82 # defaults depending on the setting of Protocol.
83 protocol="$(get_config_option Protocol)"
84 [ "$protocol" ] || protocol=1,2
85 if echo "$protocol" | grep 1 >/dev/null; then
86 echo /etc/ssh/ssh_host_key
87 fi
[...]
95 }
96
97
98 create_key() {
[...]
105
106 if echo "$hostkeys" | grep -x "$file" >/dev/null && \
107 [ ! -f "$file" ] ; then
108 echo -n $msg
109 ssh-keygen -q -f "$file" -N '' "$@"
[...]
115 fi
116 }
This results in this:
root@shepard:~# apt-get -f install
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up openssh-server (1:7.1p2-1) ...
Creating SSH1 key; this may take some time ...Saving key "/etc/ssh/ssh_host_key" failed: unknown or unsupported key type
dpkg: error processing package openssh-server (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
openssh-server
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@shepard:~#
The reason is that this command fails:
root@shepard:~# ssh-keygen -q -f /etc/ssh/ssh_host_key -N '' -t rsa1
Saving key "/etc/ssh/ssh_host_key" failed: unknown or unsupported key type
root@shepard:~#
A quick search leads to this upstream bug report:
https://bugzilla.mindrot.org/show_bug.cgi?id=2369
To sum things up: It seems that the logic in the postinst script which
is emulating the "-A" option of ssh-keygen is buggy and therefore ran
into the exact same problem as described in the bug report above.
Please consider either defaulting to protocol 2 only in the postinst
(line 84) or (IMHO better) switch to the "-A" option of ssh-keygen.
Best regards
Alexander KurtzAttachment:
signature.asc
Description: This is a digitally signed message part