Ubuntu
openssh package

server: Match has no effect in include file (upstream 3122)

Bug #1885990 reported by Patel
38
This bug affects 7 people
Affects Status Importance Assigned to Milestone
portable OpenSSH
Unknown
Unknown
openssh (Ubuntu)
Fix Released
Low
Christian Ehrhardt 

Bug Description

Hello

Ubuntu version: focal 20.04 LTS
Version:
openssh-server:
  Installed: 1:8.2p1-4ubuntu0.1
  Candidate: 1:8.2p1-4ubuntu0.1
Expected: match statement in included files work as documented in the fine manual
What happens: the statements are ignored.

If you add Match statements in an included file, it will generate no error but have no effect.
The exact same statements work in the main server config file (/etc/ssh/sshd_config)

this is to track upstream bug 3122:

https://bugzilla.mindrot.org/show_bug.cgi?id=3122

it's fixed but will only be in 8.4 so it affects Ubuntu 20.04 LTS where openssh is at 8.2.

I'm not *absolutely* whining for a backport since include files is a new feature for openssl in focal so it's not a regression. Would be nice though :), because include files are standard for any server software in Linux since at least a decade...

Tags: server-next
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

We just fixed bug 1876320 for includes, seems there might be more for it to do.
But at the same time I think this is low-prio e.g. I think we can wait until ssh 8.4 hits groovy and then think about a backport instead of adding Delta for it right away.

Thank you for the bug Patel.

Changed in openssh (Ubuntu):
status: New → Triaged
importance: Undecided → Low
assignee: nobody → Christian Ehrhardt  (paelzer)
tags: added: server-next
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This is server-next as soon as 8.4 is in groovy, I tagged it already to not forget it.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:8.4p1-2

---------------
openssh (1:8.4p1-2) unstable; urgency=medium

  * Revert incorrect upstream patch that claimed to fix the seccomp sandbox
    on x32 but in fact broke it instead.

 -- Colin Watson <email address hidden> Mon, 26 Oct 2020 17:41:13 +0000

Changed in openssh (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Jernej Jakob (jjakob) wrote :

Why is this marked as "fix released"? It's still broken on Ubuntu 20.04 LTS, the fix has not been released into it.
At the very least, the behavior does not match what is described in the sshd_config man page. Nowhere does it mention that Match blocks don't work inside Include files. Not only that, the config passes config test, and a LogLevel VERBOSE will say that the Match section has been processed, but then it has really been silently ignored!

It took me hours to debug this issue back to a post on the mailing list, to the upstream fix, to this bug report.

Revision history for this message
Patel (gp451ly) wrote :

@Jernej Jakob: this is cited as 'released for 1.8.4'. There is a policy for stable distros, never update the version. I asked for a backport, did not get one. The 20.04 version is still at 1.8.2 and it does not has this feature that was introduced after this version. It was released for groovy, that is 20.10. But I had no right for it, I begged for it but was denied. That's life.

As of documentation, yes but it's a pretty obscure feature and Ubuntu devs don't have the responsability for writing man pages and there is no need to document a non-existent feature.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I can't speak for the SRU team, but it's entirely possible that if you prepare and test a debdiff, and show that this can be fixed, you could drive an SRU through to completion; see https://wiki.ubuntu.com/StableReleaseUpdates for more information.

Thanks

Revision history for this message
Patel (gp451ly) wrote :

@seth arnold
THanks for the link, quite interesting. Unfortunately perusing it, I found that this particular change ticks almost all the wrong boxes - especially the 'do not touch really important software' (aka critical infrastructure packages).

Also trying to find a contact is not obvious, there is a ref (https://wiki.ubuntu.com/StableReleaseUpdates#Reviewing_procedure_and_tools) to a ubuntu-bugs channel on freenode that don't seem to exist anymore. Provided examples are almost 15 years old. Chances are good (or bad) that many of this is not up-to-date.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.