Bug#926613: openssh-server: Locked out of server after upgrading to buster.

To: Sam Bull <dreamsorcerer@gmail.com>, 926613@bugs.debian.org
Subject: Bug#926613: openssh-server: Locked out of server after upgrading to buster.
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 8 Apr 2019 11:07:56 +0100
Message-id: <[🔎] 20190408100756.lvsf5guymg24bjdg@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 926613@bugs.debian.org
In-reply-to: <[🔎] 155466937113.3519.10482984860761192916.reportbug@nginx>
References: <[🔎] 155466937113.3519.10482984860761192916.reportbug@nginx> <[🔎] 155466937113.3519.10482984860761192916.reportbug@nginx>

Control: reassign -1 release-notes

On Sun, Apr 07, 2019 at 08:36:11PM +0000, Sam Bull wrote:
> Package: openssh-server
> Severity: serious
> Justification: Policy 8.2

Policy 8.2 is "Shared library support files", which seems to have
nothing to do with this.

> Due to a change in how some options are handled in sshd_config, upgrading to buster can result in the user getting locked out of their system if the config is not updated.
> 
> Probably the most likely cause (and what occurred to me) is if the PubkeyAcceptedKeyTypes includes ssh-rsa and the admin logs in with an RSA key. After upgrading, the user will no longer be able to connect to the server.
> The solution for this case is to replace ssh-rsa with rsa-sha2-256,rsa-sha2-512.
> 
> At the very least this needs to be mentioned in the upgrade instructions in the release notes for buster.

This is already documented in openssh's NEWS.Debian file, presented
before upgrade if you use apt-listchanges.  It says:

   * sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
     HostbasedAcceptedKeyTypes options have changed.  These now specify
     signature algorithms that are accepted for their respective
     authentication mechanism, where previously they specified accepted key
     types.  This distinction matters when using the RSA/SHA2 signature
     algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
     counterparts.  Configurations that override these options but omit
     these algorithm names may cause unexpected authentication failures (no
     action is required for configurations that accept the default for these
     options).

I don't think I consider it safe to try to mangle this automatically in
people's sshd_config files in this case; the cure could easily be worse
than the disease, and any time I try to do that sort of thing it
generates a flurry of RC bug reports about configuration file
modifications which are always really hard to get right in a
policy-friendly way.

Other than that, for people who don't see or don't fully read the
NEWS.Debian file I already provided, the best I can do is reassign this
to the release notes to lift some of these warnings up to there.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

References:
- Bug#926613: openssh-server: Locked out of server after upgrading to buster.
  - From: Sam Bull <dreamsorcerer@gmail.com>

Prev by Date: Bug#926613: openssh-server: Locked out of server after upgrading to buster.
Next by Date: Processed: Re: Bug#926613: openssh-server: Locked out of server after upgrading to buster.
Previous by thread: Bug#926613: openssh-server: Locked out of server after upgrading to buster.
Next by thread: Processed: Re: Bug#926613: openssh-server: Locked out of server after upgrading to buster.
Index(es):
- Date
- Thread