** Description changed: + [NOTE FOR SRU TEAM] + + I would prefer that vorlon review the attached patch before the upload + is accepted. I will remove this note when that has happened. + [Impact] Users with /etc/ssh/sshd_config's that contain ListenAddress entries with the port specified will not be migrated to socket-activated ssh correctly, or may be migrated when they should not be (e.g. if ListenAddress, with a port number, is specified more than once). This leaves users with a broken sshd configuration. [Test Plan] There are 4 tests that should be used to verify the fix: 1. Upgrade to Kinetic with just one ListenAddress entry, which specifies port number. - * On a Jammy system, edit /etc/ssh/sshd_config so that it contains the following: - + * On a Jammy system, edit /etc/ssh/sshd_config so that it contains the + following: + [...defaults everywhere else...] #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: ListenAddress 0.0.0.0:1234 [...defaults everywhere else...] * Run `systemctl restart ssh.service` and confirm that the new configuration works as expected. * Before running the upgrade, make sure -proposed is enabled. * Run `do-release-upgrade` to upgrade to Kinetic (setting Prompt=normal in /etc/update-manager/release-upgrades if needed). * On an affected system, ssh.socket will fail with `bad-setting` because /etc/systemd/system/ssh.socket.d/address.conf contains: [Socket] ListenStream= * On a patched system, ssh.socket will be active/listening, and /etc/systemd/system/ssh.socket.d/addresses.conf will contain the following: [Socket] ListenStream= - ListenStream=0.0.0.0:1234 + ListenStream=0.0.0.0:1234 2. Upgrade to Kinetic with multiple ListenAddress entries, each specifying port number. - * On a Jammy system, edit /etc/ssh/sshd_config so that it contains the following: - + * On a Jammy system, edit /etc/ssh/sshd_config so that it contains the + following: + [...defaults everywhere else...] #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: ListenAddress 0.0.0.0:1234 ListenAddress [::]:4321 [...defaults everywhere else...] * Run `systemctl restart ssh.service` and confirm that the new configuration works as expected. * Before running the upgrade, make sure -proposed is enabled. * Run `do-release-upgrade` to upgrade to Kinetic (setting Prompt=normal in /etc/update-manager/release-upgrades if needed). * On an affected system, migration will be attempted despite the multiple ListenAddress options, and ssh.socket will fail with `bad-setting` because /etc/systemd/system/ssh.socket.d/address.conf contains: [Socket] ListenStream= * On a patched system, the ListenAddress option will be parsed correctly, and migration will not be attempted. 3. On a Kinetic system which was migrated, but with errors (e.g. test case #1, prior to being patched), installing the new package should correct the ssh.socket configuration. + * On a Jammy system, edit /etc/ssh/sshd_config so that it contains the + following: - * On a Jammy system, edit /etc/ssh/sshd_config so that it contains the following: - [...defaults everywhere else...] #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: ListenAddress 0.0.0.0:1234 [...defaults everywhere else...] * Run `systemctl restart ssh.service` and confirm that the new configuration works as expected. * Do NOT enable -proposed before the upgrade. * Run `do-release-upgrade` to upgrade to Kinetic (setting Prompt=normal in /etc/update-manager/release-upgrades if needed). * After the openssh-server configuration fails, enable -proposed, and upgrade openssh-server. * The ssh.socket configuration should be fixed, and /etc/systemd/system/ssh.socket.d/addresses.conf should contain: [Socket] ListenStream= - ListenStream=0.0.0.0:1234 + ListenStream=0.0.0.0:1234 4. On a Kinetic system which was incorrectly migrated to ssh socket activation (e.g. test case #2, prior to being patched), installing the new package reverts to the previous behavior. - * On a Jammy system, edit /etc/ssh/sshd_config so that it contains the following: - + * On a Jammy system, edit /etc/ssh/sshd_config so that it contains the + following: + [...defaults everywhere else...] #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: ListenAddress 0.0.0.0:1234 ListenAddress [::]:4321 [...defaults everywhere else...] * Run `systemctl restart ssh.service` and confirm that the new configuration works as expected. * Do NOT enable -proposed before the upgrade. * Run `do-release-upgrade` to upgrade to Kinetic (setting Prompt=normal in /etc/update-manager/release-upgrades if needed). * After the openssh-server configuration fails, enable -proposed, and upgrade openssh-server. * The socket-activated ssh migration should be reverted, and ssh.service should be running as before upgrade to Kinetic. [Where problems could occur] These changes are in the openssh-server.postinst script, specifically in the socket-activated ssh migration logic. Regressions would be seen in the migration logic, for example breaking a previously-working migration scenario. - [Original Description] update failed... ProblemType: Package DistroRelease: Ubuntu 22.10 Package: openssh-server 1:9.0p1-1ubuntu7 ProcVersionSignature: Ubuntu 5.15.0-48.54-generic 5.15.53 Uname: Linux 5.15.0-48-generic x86_64 NonfreeKernelModules: cpuid tcp_diag inet_diag tls authenc echainiv esp4 xfrm_user xfrm_algo sctp ip6_udp_tunnel udp_tunnel cfg80211 veth nft_chain_nat xt_REDIRECT nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_tcpudp nft_counter xt_policy nft_compat nf_tables nfnetlink bridge stp llc nls_iso8859_1 hid_generic joydev crct10dif_pclmul crc32_pclmul ghash_clmulni_intel usbhid virtio_net net_failover hid failover i2c_piix4 pata_acpi qemu_fw_cfg floppy sch_fq_codel ipmi_devintf ipmi_msghandler msr ramoops reed_solomon pstore_blk efi_pstore pstore_zone ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress dm_crypt raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx libcrc32c xor raid6_pq raid1 raid0 multipath linear bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt input_leds fb_sys_fops cec crypto_simd rc_core psmouse cryptd drm serio_raw virtio_scsi mac_hid ApportVersion: 2.23.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: unknown Date: Wed Oct 19 08:41:28 2022 ErrorMessage: »installiertes post-installation-Skript des Paketes openssh-server«-Unterprozess gab den Fehlerwert 1 zurück InstallationDate: Installed on 2019-08-13 (1162 days ago) InstallationMedia: Ubuntu-Server 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) Python3Details: /usr/bin/python3.10, Python 3.10.7, python3-minimal, 3.10.6-1 PythonDetails: N/A RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: dpkg 1.21.9ubuntu1 apt 2.5.3 SourcePackage: openssh Title: package openssh-server 1:9.0p1-1ubuntu7 failed to install/upgrade: »installiertes post-installation-Skript des Paketes openssh-server«-Unterprozess gab den Fehlerwert 1 zurück UpgradeStatus: Upgraded to kinetic on 2022-10-19 (0 days ago)
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1993478 Title: package openssh-server 1:9.0p1-1ubuntu7 failed to install/upgrade: postinstall script returned 1 Status in openssh package in Ubuntu: Triaged Status in openssh source package in Kinetic: Triaged Bug description: [NOTE FOR SRU TEAM] I would prefer that vorlon review the attached patch before the upload is accepted. I will remove this note when that has happened. [Impact] Users with /etc/ssh/sshd_config's that contain ListenAddress entries with the port specified will not be migrated to socket-activated ssh correctly, or may be migrated when they should not be (e.g. if ListenAddress, with a port number, is specified more than once). This leaves users with a broken sshd configuration. [Test Plan] There are 4 tests that should be used to verify the fix: 1. Upgrade to Kinetic with just one ListenAddress entry, which specifies port number. * On a Jammy system, edit /etc/ssh/sshd_config so that it contains the following: [...defaults everywhere else...] #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: ListenAddress 0.0.0.0:1234 [...defaults everywhere else...] * Run `systemctl restart ssh.service` and confirm that the new configuration works as expected. * Before running the upgrade, make sure -proposed is enabled. * Run `do-release-upgrade` to upgrade to Kinetic (setting Prompt=normal in /etc/update-manager/release-upgrades if needed). * On an affected system, ssh.socket will fail with `bad-setting` because /etc/systemd/system/ssh.socket.d/address.conf contains: [Socket] ListenStream= * On a patched system, ssh.socket will be active/listening, and /etc/systemd/system/ssh.socket.d/addresses.conf will contain the following: [Socket] ListenStream= ListenStream=0.0.0.0:1234 2. Upgrade to Kinetic with multiple ListenAddress entries, each specifying port number. * On a Jammy system, edit /etc/ssh/sshd_config so that it contains the following: [...defaults everywhere else...] #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: ListenAddress 0.0.0.0:1234 ListenAddress [::]:4321 [...defaults everywhere else...] * Run `systemctl restart ssh.service` and confirm that the new configuration works as expected. * Before running the upgrade, make sure -proposed is enabled. * Run `do-release-upgrade` to upgrade to Kinetic (setting Prompt=normal in /etc/update-manager/release-upgrades if needed). * On an affected system, migration will be attempted despite the multiple ListenAddress options, and ssh.socket will fail with `bad-setting` because /etc/systemd/system/ssh.socket.d/address.conf contains: [Socket] ListenStream= * On a patched system, the ListenAddress option will be parsed correctly, and migration will not be attempted. 3. On a Kinetic system which was migrated, but with errors (e.g. test case #1, prior to being patched), installing the new package should correct the ssh.socket configuration. * On a Jammy system, edit /etc/ssh/sshd_config so that it contains the following: [...defaults everywhere else...] #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: ListenAddress 0.0.0.0:1234 [...defaults everywhere else...] * Run `systemctl restart ssh.service` and confirm that the new configuration works as expected. * Do NOT enable -proposed before the upgrade. * Run `do-release-upgrade` to upgrade to Kinetic (setting Prompt=normal in /etc/update-manager/release-upgrades if needed). * After the openssh-server configuration fails, enable -proposed, and upgrade openssh-server. * The ssh.socket configuration should be fixed, and /etc/systemd/system/ssh.socket.d/addresses.conf should contain: [Socket] ListenStream= ListenStream=0.0.0.0:1234 4. On a Kinetic system which was incorrectly migrated to ssh socket activation (e.g. test case #2, prior to being patched), installing the new package reverts to the previous behavior. * On a Jammy system, edit /etc/ssh/sshd_config so that it contains the following: [...defaults everywhere else...] #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: ListenAddress 0.0.0.0:1234 ListenAddress [::]:4321 [...defaults everywhere else...] * Run `systemctl restart ssh.service` and confirm that the new configuration works as expected. * Do NOT enable -proposed before the upgrade. * Run `do-release-upgrade` to upgrade to Kinetic (setting Prompt=normal in /etc/update-manager/release-upgrades if needed). * After the openssh-server configuration fails, enable -proposed, and upgrade openssh-server. * The socket-activated ssh migration should be reverted, and ssh.service should be running as before upgrade to Kinetic. [Where problems could occur] These changes are in the openssh-server.postinst script, specifically in the socket-activated ssh migration logic. Regressions would be seen in the migration logic, for example breaking a previously-working migration scenario. [Original Description] update failed... ProblemType: Package DistroRelease: Ubuntu 22.10 Package: openssh-server 1:9.0p1-1ubuntu7 ProcVersionSignature: Ubuntu 5.15.0-48.54-generic 5.15.53 Uname: Linux 5.15.0-48-generic x86_64 NonfreeKernelModules: cpuid tcp_diag inet_diag tls authenc echainiv esp4 xfrm_user xfrm_algo sctp ip6_udp_tunnel udp_tunnel cfg80211 veth nft_chain_nat xt_REDIRECT nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_tcpudp nft_counter xt_policy nft_compat nf_tables nfnetlink bridge stp llc nls_iso8859_1 hid_generic joydev crct10dif_pclmul crc32_pclmul ghash_clmulni_intel usbhid virtio_net net_failover hid failover i2c_piix4 pata_acpi qemu_fw_cfg floppy sch_fq_codel ipmi_devintf ipmi_msghandler msr ramoops reed_solomon pstore_blk efi_pstore pstore_zone ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress dm_crypt raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx libcrc32c xor raid6_pq raid1 raid0 multipath linear bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt input_leds fb_sys_fops cec crypto_simd rc_core psmouse cryptd drm serio_raw virtio_scsi mac_hid ApportVersion: 2.23.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: unknown Date: Wed Oct 19 08:41:28 2022 ErrorMessage: »installiertes post-installation-Skript des Paketes openssh-server«-Unterprozess gab den Fehlerwert 1 zurück InstallationDate: Installed on 2019-08-13 (1162 days ago) InstallationMedia: Ubuntu-Server 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) Python3Details: /usr/bin/python3.10, Python 3.10.7, python3-minimal, 3.10.6-1 PythonDetails: N/A RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: dpkg 1.21.9ubuntu1 apt 2.5.3 SourcePackage: openssh Title: package openssh-server 1:9.0p1-1ubuntu7 failed to install/upgrade: »installiertes post-installation-Skript des Paketes openssh-server«-Unterprozess gab den Fehlerwert 1 zurück UpgradeStatus: Upgraded to kinetic on 2022-10-19 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1993478/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
