Bug#926613: openssh-server: Locked out of server after upgrading to buster.
Package: openssh-server
Severity: serious
Justification: Policy 8.2
Dear Maintainer,
Due to a change in how some options are handled in sshd_config, upgrading to buster can result in the user getting locked out of their system if the config is not updated.
Probably the most likely cause (and what occurred to me) is if the PubkeyAcceptedKeyTypes includes ssh-rsa and the admin logs in with an RSA key. After upgrading, the user will no longer be able to connect to the server.
The solution for this case is to replace ssh-rsa with rsa-sha2-256,rsa-sha2-512.
At the very least this needs to be mentioned in the upgrade instructions in the release notes for buster.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.0-47-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=C.UTF-8 (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_GB:en (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii dpkg 1.19.6
ii libaudit1 1:2.8.4-2
ii libc6 2.28-8
ii libcom-err2 1.44.5-1
ii libgssapi-krb5-2 1.17-2
ii libkrb5-3 1.17-2
ii libpam-modules 1.3.1-5
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
ii libselinux1 2.8-1+b1
ii libssl1.1 1.1.1b-1
ii libsystemd0 241-1
pn libwrap0 <none>
ii lsb-base 10.2019031300
ii openssh-client 1:7.9p1-9
pn openssh-sftp-server <none>
pn procps <none>
pn ucf <none>
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages openssh-server recommends:
ii libpam-systemd 241-1
pn ncurses-term <none>
ii xauth 1:1.0.10-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
Reply to: