This bug was fixed in the package openssh - 1:9.6p1-3ubuntu13.7
---------------
openssh (1:9.6p1-3ubuntu13.7) noble; urgency=medium
* d/t/sshd-socket-generator: run test_match_on_port test
The test case was added to verify the fix for LP: 2076023,
but it is not actually executed at the moment. Now that
it does run, fix the grep commands used.
openssh (1:9.6p1-3ubuntu13.6) noble; urgency=medium
* Explicitly listen on IPv4 by default, with socket-activated sshd
(LP: #2080216)
- d/systemd/ssh.socket: explicitly listen on ipv4 by default
- d/t/sshd-socket-generator: update for new defaults and AddressFamily
- sshd-socket-generator: handle new ssh.socket default settings
* sshd-socket-generator: do not parse server match config
(LP: #2076023)
* d/p/systemd-socket-activation.patch: don't clear rexec_flag
(LP: #2071815)
* d/p/sshd-socket-generator.patch: add note to sshd_config
Explain that a systemctl daemon-reload is needed for changes
to Port et al to take effect.
(LP: #2069041)
* debian/openssh-server.ucf-md5sum: add new checksums for sshd_config
-- Nick Rosbrook <en...@ubuntu.com> Wed, 23 Oct 2024 14:19:51 -0400
** Changed in: openssh (Ubuntu Noble)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2076023
Title:
Failed to apply 'Match' directive in sshd_config with sshd-socket-
generator
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Noble:
Fix Released
Status in openssh source package in Oracular:
Fix Released
Bug description:
[Impact]
When users have a Match section in their sshd config, their
configuration cannot be parsed by the sshd-socket-generator (because
there is no connection, hence no connection spec to be matched), and
the generator fails. This means no custom config is applied at all.
[Test Plan]
1. On a noble system with sshd installed, create a drop-in config with
a Match directive, and run the generator locally:
$ cat > /etc/ssh/sshd_config.d/custom.conf << EOF
Port 1234
Match LocalPort 22
PasswordAuthentication no
EOF
$ /lib/systemd/system-generators/sshd-socket-generator .
'Match LocalPort' in configuration but 'lport' not in connection test
specification.
On an affected system, the above error will be shown. On a patched
system, the generator will succeed, and ./ssh.socket.d/addresses.conf
will reflect the Port 1234 option.
2. A new subtest was added to debian/tests/sshd-socket-generator,
test_match_port. It does the same as the above, and should pass in
autopkgtest.
[Where problems could occur]
This patch simply removes the code from sshd-socket-generator that
tries to parse the match config. If problems did occur, it would be
related to the generator again. Specifically, it would likely be
related to missing/unparsed options.
[Original Description]
When using the Match statement in sshd_config or sshd_config.d/*.conf
with socket activation(not classic method), sshd does not start as
expected.
Environment:
Ubuntu: Ubuntu 24.04 LTS
OpenSSH Server: 1:9.6p1-3ubuntu13.4
Steps to Reproduce:
/etc/ssh/sshd_config
```
Include /etc/ssh/sshd_config.d/*.conf
Port 22
Port 22222
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Match LocalPort 22222
PasswordAuthentication no
PubkeyAuthentication yes
```
command:
sudo systemctl daemon-reload && sudo systemctl restart ssh.socket
Expected Behavior:
sshd should listen on both ports 22 and 22222.
When connecting via port 22222, password login should not be allowed and only
public key authentication should be permitted.
Actual Behavior:
sshd only listens on port 22 and not on port 22222. The configuration
is not correctly applied.
After daemon-reload, the output from journalctl is as follows:
$ sudo journalctl -t (sd-exec-
Aug 04 12:47:36 ults (sd-exec-[479259]:
/usr/lib/systemd/system-generators/sshd-socket-generator failed with exit
status 255.
Additional Information:
1.Using sshd -T -C to test the configuration produces the following result:
$ sudo sshd -T -C lport=22 | grep passwordauthentication
passwordauthentication yes
$ sudo sshd -T -C lport=22222 | grep passwordauthentication
passwordauthentication no
2.The output when manually running
/usr/lib/systemd/system-generators/sshd-socket-generator is:
$ sudo /usr/lib/systemd/system-generators/sshd-socket-generator ./
'Match LocalPort' in configuration but 'lport' not in connection test
specification.
3.I have test some cases, if sshd-socket-generator can not handle
config rightly, sshd seems to run with default config.
And I also noticed that there is no test case about the Match
directive in
https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/tests/sshd-
socket-generator.
I guess the root cause of the issue lies in the sshd-socket-generator
not correctly handling the Match directive.
And a detailed assessment of potential security issues which caused by
this bug is needed.
If socket activation is to be widely adopted, this issue will
undoubtedly be a significant stumbling block.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2076023/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
