Bug 57115 – univention-ssh: too much catch IOError

Bug 57115 - univention-ssh: too much catch IOError


Summary:	univention-ssh: too much catch IOError

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	SSH
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2024-03-06 10:03 CET by Philipp Hahn
Modified:	2024-03-08 16:34 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.017
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	bitesize
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2024-03-06 10:03:42 CET

```
Traceback (most recent call last):
  File "/usr/lib/univention-ssh/univention-ssh-askpass", line 278, in <module>
    print('Failed to read password from %s' % (pw_filename,), file=sys.stderr)
NameError: name 'pw_filename' is not defined
```

Not all IOErrors are caused by not being able to read the PW.
- [ ] Please refactor base/univention-ssh/univention-ssh.in to only catch IOError→OSError when opening file.
- [ ] Convert to Python3 only code.
- [ ] Add type annotations
- [ ] …

Comment 1 Philipp Hahn

2024-03-06 10:04:23 CET

1 times in /root/ucs-test.log:
https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-6/job/AutotestJoin/SambaVersion=no-samba,Systemrolle=master/ws/test/ucs-test.log
Traceback (most recent call last):
  File "/usr/lib/univention-ssh/univention-ssh-askpass", line 152, in <module>
    print(os.environ[UNIVENTION_SSH_ASKPASS_ENV], end="")
BrokenPipeError: [Errno 32] Broken pipe


1 times in /root/ucs-test.log:
https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-6/job/AutotestJoin/SambaVersion=no-samba,Systemrolle=master/ws/test/ucs-test.log
Traceback (most recent call last):
  File "/usr/lib/univention-ssh/univention-ssh-askpass", line 278, in <module>
    print('Failed to read password from %s' % (pw_filename,), file=sys.stderr)
NameError: name 'pw_filename' is not defined

Comment 2 Philipp Hahn

2024-03-07 10:08:51 CET

»···rsa1) filename='/etc/ssh/ssh_host_key'; [ "$bits" -ge 768 ] || die "minimum 768" ;;
»···dsa) [ "$bits" -eq 1024 ] || die "only 1024" ;;
»···rsa) [ "$bits" -ge 768 ] || die "minimum 768" ;;


are deprecated as they are insecure; they still use SHA1 broken since 2017 or only allow 1k bits, which is too weak:
- rsa1 8.7 2021-08-20
- dsa 8.9 2022-02-23
- rsa: minimum key size is 1k

See https://git.knut.univention.de/univention/ucs/-/merge_requests/1093