Bug#926613: openssh-server: Locked out of server after upgrading to buster.

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#926613: openssh-server: Locked out of server after upgrading to buster.
From: Sam Bull <dreamsorcerer@gmail.com>
Date: Sun, 07 Apr 2019 20:36:11 +0000
Message-id: <[🔎] 155466937113.3519.10482984860761192916.reportbug@nginx>
Reply-to: Sam Bull <dreamsorcerer@gmail.com>, 926613@bugs.debian.org

Package: openssh-server
Severity: serious
Justification: Policy 8.2

Dear Maintainer,

Due to a change in how some options are handled in sshd_config, upgrading to buster can result in the user getting locked out of their system if the config is not updated.

Probably the most likely cause (and what occurred to me) is if the PubkeyAcceptedKeyTypes includes ssh-rsa and the admin logs in with an RSA key. After upgrading, the user will no longer be able to connect to the server.
The solution for this case is to replace ssh-rsa with rsa-sha2-256,rsa-sha2-512.

At the very least this needs to be mentioned in the upgrade instructions in the release notes for buster.


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-47-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=C.UTF-8 (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_GB:en (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.71
ii  dpkg                   1.19.6
ii  libaudit1              1:2.8.4-2
ii  libc6                  2.28-8
ii  libcom-err2            1.44.5-1
ii  libgssapi-krb5-2       1.17-2
ii  libkrb5-3              1.17-2
ii  libpam-modules         1.3.1-5
ii  libpam-runtime         1.3.1-5
ii  libpam0g               1.3.1-5
ii  libselinux1            2.8-1+b1
ii  libssl1.1              1.1.1b-1
ii  libsystemd0            241-1
pn  libwrap0               <none>
ii  lsb-base               10.2019031300
ii  openssh-client         1:7.9p1-9
pn  openssh-sftp-server    <none>
pn  procps                 <none>
pn  ucf                    <none>
ii  zlib1g                 1:1.2.11.dfsg-1

Versions of packages openssh-server recommends:
ii  libpam-systemd  241-1
pn  ncurses-term    <none>
ii  xauth           1:1.0.10-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

Reply to:

Follow-Ups:
- Bug#926613: openssh-server: Locked out of server after upgrading to buster.
  - From: Colin Watson <cjwatson@debian.org>
- Processed: Re: Bug#926613: openssh-server: Locked out of server after upgrading to buster.
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#926229: New QoS defaults break systems running on VMWare
Next by Date: Bug#926613: openssh-server: Locked out of server after upgrading to buster.
Previous by thread: Bug#923879: Related bug 926229
Next by thread: Bug#926613: openssh-server: Locked out of server after upgrading to buster.
Index(es):
- Date
- Thread