** Description changed:

- TODO finish
- 
  [Impact]
  
-  * The systemd drop-in is placed and removed in maintainer scripts based
- on the current system configuration.
+  * The ssh.service drop-in is placed and removed in maintainer scripts
+ based on the current ssh configuration checks which are incomplete. The
+ drop-in is also not owned by the package.
  
  [Test Case]
  
-  * detailed instructions how to reproduce the bug
+  * Install the fixed package. The drop-in should be listed among the 
package's files:
+ $ dpkg -L ec2-instance-connect 
+ ...
+ /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf
+ ...
  
-  * these should allow someone who is not familiar with the affected
-    package to reproduce the bug and verify that the updated package fixes
-    the problem.
+ * Upgrade package from previous version. The drop-in should replace the
+ old one.
+ 
+ * Change /etc/ssh/sshd_config to set AuthorizedKeysCommand
+   Install the fixed package. A warning should appear and sshd should not be 
restarted by the package's maintainer scripts.
  
  [Regression Potential]
  
-  * discussion of how regressions are most likely to manifest as a result
- of this change.
- 
-  * It is assumed that any SRU candidate patch is well-tested before
-    upload and has a low overall risk of regression, but it's important
-    to make the effort to think about what ''could'' happen in the
-    event of a regression.
- 
-  * This both shows the SRU team that the risks have been considered,
-    and provides guidance to testers in regression-testing the SRU.
+ * The change is made to make installation and upgrades more reliable. The 
test cases check package installs and upgrades where regressions could happen 
due to implementation mistakes.
+ * The unfixed version of the package did not place the drop-in when it 
detected setting AuthorizedKeysCommand in sshd_conf, while the fixed version 
installs the drop-in, just does not restart the ssh service. This can block 
users from logging in via ssh if only the sshd_conf's AuthorizedKeysCommand 
configuration enabled their login and the ssh service got restarted after 
installing/upgrading ec2-instance-connect.
+ This is a known change in behavior and is mitigated by showing a warning when 
this potentially problematic configuration is detected. It is also worth noting 
that in case the drop-in overrides the configuration in sshd_conf it is still 
possible to log in via EC2 Instance Connect, the login method the package 
enables.
  
  [Other Info]

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861909

Title:
  Please ship ec2-instance-connect.conf instead of creating it in
  postinst

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1861909/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to