Bug#1041521: marked as done (OpenSSH: problematic interaction between GSSAPI Key Exchange and publickey in 8.9p1 and newer)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 21 Oct 2024 17:34:08 +0000
with message-id <E1t2wIC-004rql-Bx@fasolo.debian.org>
and subject line Bug#1041521: fixed in openssh 1:9.9p1-2
has caused the Debian Bug report #1041521,
regarding OpenSSH: problematic interaction between GSSAPI Key Exchange and publickey in 8.9p1 and newer
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1041521: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041521
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: "submit@bugs.debian.org" <submit@bugs.debian.org>
• Subject: OpenSSH: problematic interaction between GSSAPI Key Exchange and publickey in 8.9p1 and newer
• From: Sergio Gelato <sergio.gelato@astro.su.se>
• Date: Thu, 20 Jul 2023 09:17:34 +0000
• Message-id: <30b98865a5e749249d3843f2c95bb133@astro.su.se>

Source: openssh
Version: 1:9.2p1-2

Symptom: ssh fails with "sign_and_send_pubkey: internal error: initial hostkey not recorded".

This issue was reported upstream in https://bugzilla.mindrot.org/show_bug.cgi?id=3406 and rejected because it's a flaw in the GSSAPI key exchange patch. However, Damien Miller was kind enough to provide a hint in Comment 2.

To trigger it, one needs to (a) perform a successful GSSAPI key exchange, (b) attempt public key authentication. (In addition, the client and the server must both have the hostbound authentication protocol extension enabled for the problem to manifest itself. This is on by default in bookworm.) This is probably not a very common combination, but it can happen if one has Kerberos credentials for the correct realm but the wrong user, and a private key for the right user.

I suppose an ambitious developer might try to provide a functional equivalent to the host key binding that leverages the GSSAPI key exchange, instead of Damien Miller's one-statement suggestion.

A likely workaround for affected clients until this gets fixed is to set pubkeyauthentication=unbound as needed.

--- End Message ---

--- Begin Message ---

• To: 1041521-close@bugs.debian.org
• Subject: Bug#1041521: fixed in openssh 1:9.9p1-2
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Mon, 21 Oct 2024 17:34:08 +0000
• Message-id: <E1t2wIC-004rql-Bx@fasolo.debian.org>
• Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:9.9p1-2
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1041521@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 21 Oct 2024 18:24:07 +0100
Source: openssh
Architecture: source
Version: 1:9.9p1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1041521
Changes:
 openssh (1:9.9p1-2) unstable; urgency=medium
 .
   * Don't prefer host-bound public key signatures if there was no initial
     host key, as is the case when using GSS-API key exchange (closes:
     #1041521).
   * Use runuser rather than sudo in autopkgtests where possible, avoiding a
     dependency.
Checksums-Sha1:
 39baaf4feab5d4c13f266186b869650e21296e81 3465 openssh_9.9p1-2.dsc
 0e1fa02b445234e6ffa7c9bd18059c845bc7584d 195704 openssh_9.9p1-2.debian.tar.xz
Checksums-Sha256:
 301dfcef43aebdc603257b515f627f4f98433f957b109c04605702a9f32391e2 3465 openssh_9.9p1-2.dsc
 75f3bd6ec3c54cef10e72e083d4b35b0ddf2cd803903f6235a51a683293c4f4f 195704 openssh_9.9p1-2.debian.tar.xz
Files:
 5f9627ce26fac0425e7939c54bca6773 3465 net standard openssh_9.9p1-2.dsc
 fb5ff0ae41ec1d365600ac6893f2daf8 195704 net standard openssh_9.9p1-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmcWjmoACgkQOTWH2X2G
UAs5PA/+Ijk1xpevdQ8KdYBV5TUBUJrI7giaCufg7UjfpF2+t8iOWjfgCOb1LzoT
v3QmtcnD9nazgGh6HrFL/Mc9VWnyU4az1mYreYLF5SnTPceJJf+hFr3fk577JiqJ
5SR4i6398cwxWrekFf6VlVd4bZQrDiTuJUv0igv8476YsI+NWOv3+knnNsrCJMte
dvIjdnEhQoFxE/jraoc21Jak0EFN8944LokmvWSUvu7rt+zHjnkNbG4FI5MLW3/f
6RH0b2OzI97/XCAWIndSNhKGX0jyQtSWA0nc+nl2qavFAT37BGJ4aZhkLX15baLP
92sc5Lvr7oLswhAUl0KbC/Cs3cat6O1xrZB/IVBcOYOxbRA8DGcY2S/drvCKDz4P
CGKn1NterqbsxtlOn2BSEEDNA1d0cdwbZvE92nE+Zju5cDkBCcIQAwDv3fTvYguV
geMbhkiZv4DwXDsm6/6uFE1/yhYQ5PPAF3In6kq4UHKnv7rRhfKUD1SR6k5fujA6
ozEqFMrNOp2zxnsc8k6DKbDKWir8zMewIv0dkKrz0GAfZ2SmHh1kvAwU/gu4F3X/
58DRbYLOCaYplw/CoMYvJUFdQ8SO2PbcTm73BfYuLfsNLDUi5rKBLlQctrVB4q98
gswyx1nF3MyabsC/zWCYmH3ehM7gjKDtSADqxi3tgN4BkN9Pr5k=
=0Hjx
-----END PGP SIGNATURE-----

Attachment: pgpWd_UBKIrIB.pgp
Description: PGP signature

--- End Message ---