FS#45963 - [openssh] 7.0 seems to break connectivity with AUR4

Attached to Project: Arch Linux
Opened by Frederic Bezies (fredbezies) - Wednesday, 12 August 2015, 08:56 GMT
Last edited by Gaetan Bisson (vesath) - Friday, 14 August 2015, 05:11 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description: I faced a bug using OpenSS 7.0 this morning. When I tried to clone an AUR port that I'm maintaining, I got an error telling me that git repository was read only.

I had to downgrade to OpenSSH using Archlinux Rollback Machine to version 6.9p1-2. And I had to generate another key to sign my AUR packages.


Steps to reproduce:

Just upgrade to OpenSSH 7.0 and try to grab an AUR package using git clone. You'll get an error message telling you that the repository is read only and you do not have right to clone a package :(
This task depends upon

Closed by  Gaetan Bisson (vesath)
Friday, 14 August 2015, 05:11 GMT
Reason for closing:  Upstream
Additional comments about closing:  News announcement posted.
Comment by Gaetan Bisson (vesath) - Wednesday, 12 August 2015, 12:51 GMT
It still works for me.

However openssh-7.0 deprecated a few moduli deemed vulnerable. The issue is certainly that your key uses one of them. Please generate a new SSH key, upload it to the AUR, and everything should be back to normal. I suggest using `ssh-keygen -t ed25519` to generate a modern, high-security key.
Comment by Doug Newgard (Scimmia) - Wednesday, 12 August 2015, 14:19 GMT
No problem here, either.

vesath, since this update has the possibility of people losing access to their machines, would a news announcement before moving to Core be appropriate? Losing access to the AUR is one thing, but if you rely on ssh to access a remote machine...
Comment by Frederic Bezies (fredbezies) - Wednesday, 12 August 2015, 14:23 GMT
Thanks Gaetan, your tip fixed it for me. I noticed following ssh key generation with rsa was not working for me. A release note will be a great idea. I was surprised this morning when I had to downgrade openssh to gain access to my AUR account and packages :(
Comment by Gaetan Bisson (vesath) - Wednesday, 12 August 2015, 15:03 GMT
An announcement sounds like a good idea but, writing a draft, I realized I don't know of a quick way to determine (before upgrading to openssh-7.0p1) whether a given public SSH key will become deprecated in 7.0p1; that's quite a shame. If anyone has any idea, they'd be welcome.
Comment by Thomas Bächler (brain0) - Thursday, 13 August 2015, 07:51 GMT
From the openssh 7.0 annonouncement:

* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
by default at run-time. These may be re-enabled using the
instructions at http://www.openssh.com/legacy.html
Comment by Gaetan Bisson (vesath) - Thursday, 13 August 2015, 08:43 GMT
Yes, I originally though only certain DSA moduli had been deprecated, not the whole key type. Anyhow, the latest news proposal I posted to arch-dev-public should reflect that clearly. I'm hoping to push everything tomorrow.

Loading...