sshd_config is modified/replaced

Is walinuxagent modifying /etc/ssh/sshd_config? I don't think it's allowed to do that. See Debian policy 10.7.4:

http://www.debian.org/doc/debian-policy/ch-files.html#s10.7.4

Yep, it is, line 1350 for instance:
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/saucy/walinuxagent/saucy/view/head:/waagent#L1350

2362:
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/saucy/walinuxagent/saucy/view/head:/waagent#L2362

Perhaps it needs ClientAliveInterval because underlying connection tracking in Azure breaks the connection otherwise? Just speculating here.

So, with no keyboard input, an ssh to azure (first I tested, have other tests going now) lasts 30 minutes--well beyond the 3 * 180 which is 9 minutes...

I'll do some additional tests without that setting and then chat with Eric Gable (the author.)

Hello!

As Robie speculated, editing the ClientAliveInterval parameter will help keep the session open through the load balancer which would otherwise drop the connection. There has to be some network traffic originating from either the client or server to keep it open. Possibly your client sends these keepalives, but not all clients will.

Odd that comments are stripped, we will need to take a look at that.

Thanks!
Steve

Hi Steve,

One of the concerns (valid) is that the walinuxagent package is editing
another's config file. I'll keep investigating that avenue to see if I have
a suggested fix for that.

On Fri, Jun 7, 2013 at 12:15 PM, Stephen A. Zarkos <
<email address hidden>> wrote:

> Hello!
>
> As Robie speculated, editing the ClientAliveInterval parameter will help
> keep the session open through the load balancer which would otherwise
> drop the connection. There has to be some network traffic originating
> from either the client or server to keep it open. Possibly your client
> sends these keepalives, but not all clients will.
>
> Odd that comments are stripped, we will need to take a look at that.
>
> Thanks!
> Steve
>
> --
> You received this bug notification because you are a member of Canonical
> Microsoft Azure Collaboration, which is subscribed to walinuxagent in
> Ubuntu.
> Matching subscriptions: walinxuagnet bugs
> https://bugs.launchpad.net/bugs/1188610
>
> Title:
> sshd_config is modified/replaced
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/walinuxagent/+bug/1188610/+subscriptions
>

note, if a future version of ssh package has a modified sshd_config file (possibly a new setting being added, or one being changed), and the user does 'apt-get upgrade', they will then be prompted on what to do because the package system notices a change to this file. prompts on 'apt-get upgrade' are generally not desireable as people mostly expect these things to work unattended, and in this case the user didn't do anything themselves to justify this.

Also note, and I could be wrong, that Ubuntu's stock sshd_config has 'TCPKeepAlive yes' as the default value. It would seem that this should be enough to keep the session alive?

Actually, removing the ClientAliveInterval has no effect on a stock Ubuntu ssh client. Sessions stay alive for hours with no input. I'm going to propose a patch to pull out that change. The password authentication portion seems to be valid (or even required) for Azure (as you can still create instances without ssh keys.) I need to investigate how ubuntu-server does this differently from ubuntu-desktop (as I see a different default in a desktop.)

No package seems to "own" /etc/ssh/sshd_config ("dpkg -S /etc/ssh/sshd_config" returns nothing and "grep sshd_config Contents-amd64" doesn't return /etc/ssh/sshd_config. Does this mean it will still be an issue on upgrade?

David,
  I'm pretty sure the answer to your question about ownership of that file is that ownership by the package has no effect on config-file upgrade prompt. I'm not 100% certain, but I know that in the cloud images, /etc/default/grub has been a pain for us in this respect, and it also does not show as 'owned' by grub.
  I'm pretty sure that TCPKeepAlive is keeping the session alive and so ClientAliveInterval does not need to be set or changed. I also just verified an idle session stayed connected for a few hours.

ACK. I actually looked at some other files... maybe none of the ones in
/etc/ are "owned" but do seem to be managed by packages.

On Mon, Jun 24, 2013 at 10:27 AM, Scott Moser <email address hidden> wrote:

> David,
> I'm pretty sure the answer to your question about ownership of that file
> is that ownership by the package has no effect on config-file upgrade
> prompt. I'm not 100% certain, but I know that in the cloud images,
> /etc/default/grub has been a pain for us in this respect, and it also does
> not show as 'owned' by grub.
> I'm pretty sure that TCPKeepAlive is keeping the session alive and so
> ClientAliveInterval does not need to be set or changed. I also just
> verified an idle session stayed connected for a few hours.
>
> --
> You received this bug notification because you are a member of Canonical
> Microsoft Azure Collaboration, which is subscribed to walinuxagent in
> Ubuntu.
> Matching subscriptions: walinxuagnet bugs
> https://bugs.launchpad.net/bugs/1188610
>
> Title:
> sshd_config is modified/replaced
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/walinuxagent/+bug/1188610/+subscriptions
>

This is fixed released for Saucy and scheduled for SRU.

Marking this fix-released.
The permissions are fixed, and the comments are not removed now.

The 'ClientAliveInterval 180' is appended, and I still feel that this is un-necessary, as TCPKeepAlive should avoid idle connection dropping.