Your message dated Mon, 21 Oct 2024 17:34:08 +0000 with message-id <E1t2wIC-004rql-Bx@fasolo.debian.org> and subject line Bug#1041521: fixed in openssh 1:9.9p1-2 has caused the Debian Bug report #1041521, regarding OpenSSH: problematic interaction between GSSAPI Key Exchange and publickey in 8.9p1 and newer to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1041521: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041521 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: "submit@bugs.debian.org" <submit@bugs.debian.org>
- Subject: OpenSSH: problematic interaction between GSSAPI Key Exchange and publickey in 8.9p1 and newer
- From: Sergio Gelato <sergio.gelato@astro.su.se>
- Date: Thu, 20 Jul 2023 09:17:34 +0000
- Message-id: <30b98865a5e749249d3843f2c95bb133@astro.su.se>
Source: openssh Version: 1:9.2p1-2 Symptom: ssh fails with "sign_and_send_pubkey: internal error: initial hostkey not recorded". This issue was reported upstream in https://bugzilla.mindrot.org/show_bug.cgi?id=3406 and rejected because it's a flaw in the GSSAPI key exchange patch. However, Damien Miller was kind enough to provide a hint in Comment 2. To trigger it, one needs to (a) perform a successful GSSAPI key exchange, (b) attempt public key authentication. (In addition, the client and the server must both have the hostbound authentication protocol extension enabled for the problem to manifest itself. This is on by default in bookworm.) This is probably not a very common combination, but it can happen if one has Kerberos credentials for the correct realm but the wrong user, and a private key for the right user. I suppose an ambitious developer might try to provide a functional equivalent to the host key binding that leverages the GSSAPI key exchange, instead of Damien Miller's one-statement suggestion. A likely workaround for affected clients until this gets fixed is to set pubkeyauthentication=unbound as needed.
--- End Message ---
--- Begin Message ---
- To: 1041521-close@bugs.debian.org
- Subject: Bug#1041521: fixed in openssh 1:9.9p1-2
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Mon, 21 Oct 2024 17:34:08 +0000
- Message-id: <E1t2wIC-004rql-Bx@fasolo.debian.org>
- Reply-to: Colin Watson <cjwatson@debian.org>
Source: openssh Source-Version: 1:9.9p1-2 Done: Colin Watson <cjwatson@debian.org> We believe that the bug you reported is fixed in the latest version of openssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1041521@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <cjwatson@debian.org> (supplier of updated openssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 21 Oct 2024 18:24:07 +0100 Source: openssh Architecture: source Version: 1:9.9p1-2 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwatson@debian.org> Closes: 1041521 Changes: openssh (1:9.9p1-2) unstable; urgency=medium . * Don't prefer host-bound public key signatures if there was no initial host key, as is the case when using GSS-API key exchange (closes: #1041521). * Use runuser rather than sudo in autopkgtests where possible, avoiding a dependency. Checksums-Sha1: 39baaf4feab5d4c13f266186b869650e21296e81 3465 openssh_9.9p1-2.dsc 0e1fa02b445234e6ffa7c9bd18059c845bc7584d 195704 openssh_9.9p1-2.debian.tar.xz Checksums-Sha256: 301dfcef43aebdc603257b515f627f4f98433f957b109c04605702a9f32391e2 3465 openssh_9.9p1-2.dsc 75f3bd6ec3c54cef10e72e083d4b35b0ddf2cd803903f6235a51a683293c4f4f 195704 openssh_9.9p1-2.debian.tar.xz Files: 5f9627ce26fac0425e7939c54bca6773 3465 net standard openssh_9.9p1-2.dsc fb5ff0ae41ec1d365600ac6893f2daf8 195704 net standard openssh_9.9p1-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmcWjmoACgkQOTWH2X2G UAs5PA/+Ijk1xpevdQ8KdYBV5TUBUJrI7giaCufg7UjfpF2+t8iOWjfgCOb1LzoT v3QmtcnD9nazgGh6HrFL/Mc9VWnyU4az1mYreYLF5SnTPceJJf+hFr3fk577JiqJ 5SR4i6398cwxWrekFf6VlVd4bZQrDiTuJUv0igv8476YsI+NWOv3+knnNsrCJMte dvIjdnEhQoFxE/jraoc21Jak0EFN8944LokmvWSUvu7rt+zHjnkNbG4FI5MLW3/f 6RH0b2OzI97/XCAWIndSNhKGX0jyQtSWA0nc+nl2qavFAT37BGJ4aZhkLX15baLP 92sc5Lvr7oLswhAUl0KbC/Cs3cat6O1xrZB/IVBcOYOxbRA8DGcY2S/drvCKDz4P CGKn1NterqbsxtlOn2BSEEDNA1d0cdwbZvE92nE+Zju5cDkBCcIQAwDv3fTvYguV geMbhkiZv4DwXDsm6/6uFE1/yhYQ5PPAF3In6kq4UHKnv7rRhfKUD1SR6k5fujA6 ozEqFMrNOp2zxnsc8k6DKbDKWir8zMewIv0dkKrz0GAfZ2SmHh1kvAwU/gu4F3X/ 58DRbYLOCaYplw/CoMYvJUFdQ8SO2PbcTm73BfYuLfsNLDUi5rKBLlQctrVB4q98 gswyx1nF3MyabsC/zWCYmH3ehM7gjKDtSADqxi3tgN4BkN9Pr5k= =0Hjx -----END PGP SIGNATURE-----Attachment: pgpWd_UBKIrIB.pgp
Description: PGP signature
--- End Message ---