summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2018-08-30 01:00:47 +0100
committerColin Watson <cjwatson@debian.org>2018-08-30 01:01:39 +0100
commit8d7ec0eab1ec3f0836a02c574281e400de45a0ac (patch)
treef6e224a08c5f2a8a5d2b5916d1ec817baddbfa90
parent816386e17654ca36834bebbf351419e460fad8f6 (diff)
parent38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 (diff)
Work around conch interoperability failure
Twisted Conch fails to read private keys in the new format (https://twistedmatrix.com/trac/ticket/9515). Work around this until it can be fixed in Twisted.
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog2
-rw-r--r--debian/patches/conch-old-privkey-format.patch71
-rw-r--r--debian/patches/series1
-rw-r--r--regress/Makefile5
-rw-r--r--regress/conch-ciphers.sh2
-rw-r--r--regress/test-exec.sh12
7 files changed, 92 insertions, 5 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 7cfb27f1e..19b6c162b 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
216a47fc4b04977a14f44dd433c8da1499fa80671 238966b4afedee3bb57d3b1b0a7df4ff438fb9fd0
316a47fc4b04977a14f44dd433c8da1499fa80671 338966b4afedee3bb57d3b1b0a7df4ff438fb9fd0
4e6547182a54f0f268ee36e7c99319eeddffbaff2 4e6547182a54f0f268ee36e7c99319eeddffbaff2
5e6547182a54f0f268ee36e7c99319eeddffbaff2 5e6547182a54f0f268ee36e7c99319eeddffbaff2
6openssh_7.8p1.orig.tar.gz 6openssh_7.8p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index c3502c25a..652b7e27b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -102,6 +102,8 @@ openssh (1:7.8p1-1) UNRELEASED; urgency=medium
102 - sshd(8): Expose details of completed authentication to PAM auth 102 - sshd(8): Expose details of completed authentication to PAM auth
103 modules via SSH_AUTH_INFO_0 in the PAM environment. 103 modules via SSH_AUTH_INFO_0 in the PAM environment.
104 * Switch debian/watch to HTTPS. 104 * Switch debian/watch to HTTPS.
105 * Temporarily work around https://twistedmatrix.com/trac/ticket/9515 in
106 regression tests.
105 107
106 -- Colin Watson <cjwatson@debian.org> Fri, 24 Aug 2018 10:13:03 +0100 108 -- Colin Watson <cjwatson@debian.org> Fri, 24 Aug 2018 10:13:03 +0100
107 109
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch
new file mode 100644
index 000000000..ff5be43d8
--- /dev/null
+++ b/debian/patches/conch-old-privkey-format.patch
@@ -0,0 +1,71 @@
1From 38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Thu, 30 Aug 2018 00:58:56 +0100
4Subject: Work around conch interoperability failure
5
6Twisted Conch fails to read private keys in the new format
7(https://twistedmatrix.com/trac/ticket/9515). Work around this until it
8can be fixed in Twisted.
9
10Forwarded: not-needed
11Last-Update: 2018-08-30
12
13Patch-Name: conch-old-privkey-format.patch
14---
15 regress/Makefile | 5 +++--
16 regress/conch-ciphers.sh | 2 +-
17 regress/test-exec.sh | 12 ++++++++++++
18 3 files changed, 16 insertions(+), 3 deletions(-)
19
20diff --git a/regress/Makefile b/regress/Makefile
21index 647b4a049..6e462a4f6 100644
22--- a/regress/Makefile
23+++ b/regress/Makefile
24@@ -110,8 +110,9 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
25 modpipe netcat no_identity_config \
26 pidfile putty.rsa2 ready regress.log \
27 remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \
28- rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \
29- rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
30+ rsa1 rsa1-agent rsa1-agent.pub rsa1.pub \
31+ rsa_oldfmt rsa_oldfmt.pub \
32+ rsa_ssh2_cr.prv rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
33 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
34 sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
35 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
36diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
37index 199d863a0..c7df19fd4 100644
38--- a/regress/conch-ciphers.sh
39+++ b/regress/conch-ciphers.sh
40@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
41 rm -f ${COPY}
42 # XXX the 2nd "cat" seems to be needed because of buggy FD handling
43 # in conch
44- ${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \
45+ ${CONCH} --identity $OBJ/rsa_oldfmt --port $PORT --user $USER -e none \
46 --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
47 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
48 if [ $? -ne 0 ]; then
49diff --git a/regress/test-exec.sh b/regress/test-exec.sh
50index 40d46e3cd..1bbd47f25 100644
51--- a/regress/test-exec.sh
52+++ b/regress/test-exec.sh
53@@ -504,6 +504,18 @@ REGRESS_INTEROP_CONCH=no
54 if test -x "$CONCH" ; then
55 REGRESS_INTEROP_CONCH=yes
56 fi
57+case "$SCRIPT" in
58+*conch*) ;;
59+*) REGRESS_INTEROP_CONCH=no
60+esac
61+
62+if test "$REGRESS_INTEROP_CONCH" = "yes" ; then
63+ # Convert rsa key to old format to work around
64+ # https://twistedmatrix.com/trac/ticket/9515
65+ cp $OBJ/rsa $OBJ/rsa_oldfmt
66+ cp $OBJ/rsa.pub $OBJ/rsa_oldfmt.pub
67+ ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null
68+fi
69
70 # If PuTTY is present and we are running a PuTTY test, prepare keys and
71 # configuration
diff --git a/debian/patches/series b/debian/patches/series
index 1f82bea11..a248f086a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@ debian-config.patch
23restore-authorized_keys2.patch 23restore-authorized_keys2.patch
24seccomp-s390-flock-ipc.patch 24seccomp-s390-flock-ipc.patch
25seccomp-s390-ioctl-ep11-crypto.patch 25seccomp-s390-ioctl-ep11-crypto.patch
26conch-old-privkey-format.patch
diff --git a/regress/Makefile b/regress/Makefile
index 647b4a049..6e462a4f6 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -110,8 +110,9 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
110 modpipe netcat no_identity_config \ 110 modpipe netcat no_identity_config \
111 pidfile putty.rsa2 ready regress.log \ 111 pidfile putty.rsa2 ready regress.log \
112 remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \ 112 remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \
113 rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \ 113 rsa1 rsa1-agent rsa1-agent.pub rsa1.pub \
114 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ 114 rsa_oldfmt rsa_oldfmt.pub \
115 rsa_ssh2_cr.prv rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
115 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ 116 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
116 sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ 117 sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
117 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ 118 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
index 199d863a0..c7df19fd4 100644
--- a/regress/conch-ciphers.sh
+++ b/regress/conch-ciphers.sh
@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
16 rm -f ${COPY} 16 rm -f ${COPY}
17 # XXX the 2nd "cat" seems to be needed because of buggy FD handling 17 # XXX the 2nd "cat" seems to be needed because of buggy FD handling
18 # in conch 18 # in conch
19 ${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \ 19 ${CONCH} --identity $OBJ/rsa_oldfmt --port $PORT --user $USER -e none \
20 --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \ 20 --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
21 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} 21 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
22 if [ $? -ne 0 ]; then 22 if [ $? -ne 0 ]; then
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 40d46e3cd..1bbd47f25 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -504,6 +504,18 @@ REGRESS_INTEROP_CONCH=no
504if test -x "$CONCH" ; then 504if test -x "$CONCH" ; then
505 REGRESS_INTEROP_CONCH=yes 505 REGRESS_INTEROP_CONCH=yes
506fi 506fi
507case "$SCRIPT" in
508*conch*) ;;
509*) REGRESS_INTEROP_CONCH=no
510esac
511
512if test "$REGRESS_INTEROP_CONCH" = "yes" ; then
513 # Convert rsa key to old format to work around
514 # https://twistedmatrix.com/trac/ticket/9515
515 cp $OBJ/rsa $OBJ/rsa_oldfmt
516 cp $OBJ/rsa.pub $OBJ/rsa_oldfmt.pub
517 ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null
518fi
507 519
508# If PuTTY is present and we are running a PuTTY test, prepare keys and 520# If PuTTY is present and we are running a PuTTY test, prepare keys and
509# configuration 521# configuration