diff options
author | Colin Watson <cjwatson@debian.org> | 2018-08-30 01:00:47 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2018-08-30 01:01:39 +0100 |
commit | 8d7ec0eab1ec3f0836a02c574281e400de45a0ac (patch) | |
tree | f6e224a08c5f2a8a5d2b5916d1ec817baddbfa90 | |
parent | 816386e17654ca36834bebbf351419e460fad8f6 (diff) | |
parent | 38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 (diff) |
Work around conch interoperability failure
Twisted Conch fails to read private keys in the new format
(https://twistedmatrix.com/trac/ticket/9515). Work around this until it
can be fixed in Twisted.
-rw-r--r-- | debian/.git-dpm | 4 | ||||
-rw-r--r-- | debian/changelog | 2 | ||||
-rw-r--r-- | debian/patches/conch-old-privkey-format.patch | 71 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | regress/Makefile | 5 | ||||
-rw-r--r-- | regress/conch-ciphers.sh | 2 | ||||
-rw-r--r-- | regress/test-exec.sh | 12 |
7 files changed, 92 insertions, 5 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index 7cfb27f1e..19b6c162b 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,6 +1,6 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | 16a47fc4b04977a14f44dd433c8da1499fa80671 | 2 | 38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 |
3 | 16a47fc4b04977a14f44dd433c8da1499fa80671 | 3 | 38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 |
4 | e6547182a54f0f268ee36e7c99319eeddffbaff2 | 4 | e6547182a54f0f268ee36e7c99319eeddffbaff2 |
5 | e6547182a54f0f268ee36e7c99319eeddffbaff2 | 5 | e6547182a54f0f268ee36e7c99319eeddffbaff2 |
6 | openssh_7.8p1.orig.tar.gz | 6 | openssh_7.8p1.orig.tar.gz |
diff --git a/debian/changelog b/debian/changelog index c3502c25a..652b7e27b 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -102,6 +102,8 @@ openssh (1:7.8p1-1) UNRELEASED; urgency=medium | |||
102 | - sshd(8): Expose details of completed authentication to PAM auth | 102 | - sshd(8): Expose details of completed authentication to PAM auth |
103 | modules via SSH_AUTH_INFO_0 in the PAM environment. | 103 | modules via SSH_AUTH_INFO_0 in the PAM environment. |
104 | * Switch debian/watch to HTTPS. | 104 | * Switch debian/watch to HTTPS. |
105 | * Temporarily work around https://twistedmatrix.com/trac/ticket/9515 in | ||
106 | regression tests. | ||
105 | 107 | ||
106 | -- Colin Watson <cjwatson@debian.org> Fri, 24 Aug 2018 10:13:03 +0100 | 108 | -- Colin Watson <cjwatson@debian.org> Fri, 24 Aug 2018 10:13:03 +0100 |
107 | 109 | ||
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch new file mode 100644 index 000000000..ff5be43d8 --- /dev/null +++ b/debian/patches/conch-old-privkey-format.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | From 38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Thu, 30 Aug 2018 00:58:56 +0100 | ||
4 | Subject: Work around conch interoperability failure | ||
5 | |||
6 | Twisted Conch fails to read private keys in the new format | ||
7 | (https://twistedmatrix.com/trac/ticket/9515). Work around this until it | ||
8 | can be fixed in Twisted. | ||
9 | |||
10 | Forwarded: not-needed | ||
11 | Last-Update: 2018-08-30 | ||
12 | |||
13 | Patch-Name: conch-old-privkey-format.patch | ||
14 | --- | ||
15 | regress/Makefile | 5 +++-- | ||
16 | regress/conch-ciphers.sh | 2 +- | ||
17 | regress/test-exec.sh | 12 ++++++++++++ | ||
18 | 3 files changed, 16 insertions(+), 3 deletions(-) | ||
19 | |||
20 | diff --git a/regress/Makefile b/regress/Makefile | ||
21 | index 647b4a049..6e462a4f6 100644 | ||
22 | --- a/regress/Makefile | ||
23 | +++ b/regress/Makefile | ||
24 | @@ -110,8 +110,9 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ | ||
25 | modpipe netcat no_identity_config \ | ||
26 | pidfile putty.rsa2 ready regress.log \ | ||
27 | remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \ | ||
28 | - rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \ | ||
29 | - rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ | ||
30 | + rsa1 rsa1-agent rsa1-agent.pub rsa1.pub \ | ||
31 | + rsa_oldfmt rsa_oldfmt.pub \ | ||
32 | + rsa_ssh2_cr.prv rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ | ||
33 | scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ | ||
34 | sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ | ||
35 | ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ | ||
36 | diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh | ||
37 | index 199d863a0..c7df19fd4 100644 | ||
38 | --- a/regress/conch-ciphers.sh | ||
39 | +++ b/regress/conch-ciphers.sh | ||
40 | @@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \ | ||
41 | rm -f ${COPY} | ||
42 | # XXX the 2nd "cat" seems to be needed because of buggy FD handling | ||
43 | # in conch | ||
44 | - ${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \ | ||
45 | + ${CONCH} --identity $OBJ/rsa_oldfmt --port $PORT --user $USER -e none \ | ||
46 | --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \ | ||
47 | 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} | ||
48 | if [ $? -ne 0 ]; then | ||
49 | diff --git a/regress/test-exec.sh b/regress/test-exec.sh | ||
50 | index 40d46e3cd..1bbd47f25 100644 | ||
51 | --- a/regress/test-exec.sh | ||
52 | +++ b/regress/test-exec.sh | ||
53 | @@ -504,6 +504,18 @@ REGRESS_INTEROP_CONCH=no | ||
54 | if test -x "$CONCH" ; then | ||
55 | REGRESS_INTEROP_CONCH=yes | ||
56 | fi | ||
57 | +case "$SCRIPT" in | ||
58 | +*conch*) ;; | ||
59 | +*) REGRESS_INTEROP_CONCH=no | ||
60 | +esac | ||
61 | + | ||
62 | +if test "$REGRESS_INTEROP_CONCH" = "yes" ; then | ||
63 | + # Convert rsa key to old format to work around | ||
64 | + # https://twistedmatrix.com/trac/ticket/9515 | ||
65 | + cp $OBJ/rsa $OBJ/rsa_oldfmt | ||
66 | + cp $OBJ/rsa.pub $OBJ/rsa_oldfmt.pub | ||
67 | + ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null | ||
68 | +fi | ||
69 | |||
70 | # If PuTTY is present and we are running a PuTTY test, prepare keys and | ||
71 | # configuration | ||
diff --git a/debian/patches/series b/debian/patches/series index 1f82bea11..a248f086a 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -23,3 +23,4 @@ debian-config.patch | |||
23 | restore-authorized_keys2.patch | 23 | restore-authorized_keys2.patch |
24 | seccomp-s390-flock-ipc.patch | 24 | seccomp-s390-flock-ipc.patch |
25 | seccomp-s390-ioctl-ep11-crypto.patch | 25 | seccomp-s390-ioctl-ep11-crypto.patch |
26 | conch-old-privkey-format.patch | ||
diff --git a/regress/Makefile b/regress/Makefile index 647b4a049..6e462a4f6 100644 --- a/regress/Makefile +++ b/regress/Makefile | |||
@@ -110,8 +110,9 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ | |||
110 | modpipe netcat no_identity_config \ | 110 | modpipe netcat no_identity_config \ |
111 | pidfile putty.rsa2 ready regress.log \ | 111 | pidfile putty.rsa2 ready regress.log \ |
112 | remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \ | 112 | remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \ |
113 | rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \ | 113 | rsa1 rsa1-agent rsa1-agent.pub rsa1.pub \ |
114 | rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ | 114 | rsa_oldfmt rsa_oldfmt.pub \ |
115 | rsa_ssh2_cr.prv rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ | ||
115 | scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ | 116 | scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ |
116 | sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ | 117 | sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ |
117 | ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ | 118 | ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ |
diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh index 199d863a0..c7df19fd4 100644 --- a/regress/conch-ciphers.sh +++ b/regress/conch-ciphers.sh | |||
@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \ | |||
16 | rm -f ${COPY} | 16 | rm -f ${COPY} |
17 | # XXX the 2nd "cat" seems to be needed because of buggy FD handling | 17 | # XXX the 2nd "cat" seems to be needed because of buggy FD handling |
18 | # in conch | 18 | # in conch |
19 | ${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \ | 19 | ${CONCH} --identity $OBJ/rsa_oldfmt --port $PORT --user $USER -e none \ |
20 | --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \ | 20 | --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \ |
21 | 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} | 21 | 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} |
22 | if [ $? -ne 0 ]; then | 22 | if [ $? -ne 0 ]; then |
diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 40d46e3cd..1bbd47f25 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh | |||
@@ -504,6 +504,18 @@ REGRESS_INTEROP_CONCH=no | |||
504 | if test -x "$CONCH" ; then | 504 | if test -x "$CONCH" ; then |
505 | REGRESS_INTEROP_CONCH=yes | 505 | REGRESS_INTEROP_CONCH=yes |
506 | fi | 506 | fi |
507 | case "$SCRIPT" in | ||
508 | *conch*) ;; | ||
509 | *) REGRESS_INTEROP_CONCH=no | ||
510 | esac | ||
511 | |||
512 | if test "$REGRESS_INTEROP_CONCH" = "yes" ; then | ||
513 | # Convert rsa key to old format to work around | ||
514 | # https://twistedmatrix.com/trac/ticket/9515 | ||
515 | cp $OBJ/rsa $OBJ/rsa_oldfmt | ||
516 | cp $OBJ/rsa.pub $OBJ/rsa_oldfmt.pub | ||
517 | ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null | ||
518 | fi | ||
507 | 519 | ||
508 | # If PuTTY is present and we are running a PuTTY test, prepare keys and | 520 | # If PuTTY is present and we are running a PuTTY test, prepare keys and |
509 | # configuration | 521 | # configuration |