Ubuntu
openssh package

Failed to apply 'Match' directive in sshd_config with sshd-socket-generator

Bug #2076023 reported by Enorize
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Status tracked in Oracular
Noble
Triaged
Medium
Nick Rosbrook
Oracular
Fix Released
Medium
Nick Rosbrook

Bug Description

When using the Match statement in sshd_config or sshd_config.d/*.conf with socket activation(not classic method), sshd does not start as expected.

Environment:

Ubuntu: Ubuntu 24.04 LTS
OpenSSH Server: 1:9.6p1-3ubuntu13.4

Steps to Reproduce:

/etc/ssh/sshd_config
```
Include /etc/ssh/sshd_config.d/*.conf
Port 22
Port 22222
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Match LocalPort 22222
    PasswordAuthentication no
    PubkeyAuthentication yes
```

command:

sudo systemctl daemon-reload && sudo systemctl restart ssh.socket

Expected Behavior:

sshd should listen on both ports 22 and 22222.
When connecting via port 22222, password login should not be allowed and only public key authentication should be permitted.

Actual Behavior:

sshd only listens on port 22 and not on port 22222. The configuration is not correctly applied.

After daemon-reload, the output from journalctl is as follows:

$ sudo journalctl -t (sd-exec-
Aug 04 12:47:36 ults (sd-exec-[479259]: /usr/lib/systemd/system-generators/sshd-socket-generator failed with exit status 255.

Additional Information:

1.Using sshd -T -C to test the configuration produces the following result:
$ sudo sshd -T -C lport=22 | grep passwordauthentication
passwordauthentication yes

$ sudo sshd -T -C lport=22222 | grep passwordauthentication
passwordauthentication no

2.The output when manually running /usr/lib/systemd/system-generators/sshd-socket-generator is:
$ sudo /usr/lib/systemd/system-generators/sshd-socket-generator ./
'Match LocalPort' in configuration but 'lport' not in connection test specification.

3.I have test some cases, if sshd-socket-generator can not handle config rightly, sshd seems to run with default config.

And I also noticed that there is no test case about the Match directive in https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/tests/sshd-socket-generator.

I guess the root cause of the issue lies in the sshd-socket-generator not correctly handling the Match directive.

And a detailed assessment of potential security issues which caused by this bug is needed.

If socket activation is to be widely adopted, this issue will undoubtedly be a significant stumbling block.

Enorize (enorize)
tags: added: sshd-socket-generator
tags: added: no
tags: added: noble
removed: no
Revision history for this message
Nick Rosbrook (enr0n) wrote :

Thank you for the detailed bug report. I am not yet sure the best way to fix this, but I was able to reproduce using your instructions.

Changed in openssh (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Nick Rosbrook (enr0n)
tags: added: foundations-todo
Revision history for this message
Nick Rosbrook (enr0n) wrote :

I took another look, and this turns out to be simpler than I thought. The problem is that we explicitly attempt to parse the server match config (an unnecessary copypasta from sshd -T code path). But, in the generator, we only care about options that affect the listening addresses, and the match section is for modifying settings on a per-connection basis.

Hence, the fix for this is to just not attempt to parse the match config, as it requires a connection spec, which we cannot have at generator time.

Changed in openssh (Ubuntu Oracular):
status: Confirmed → Triaged
Changed in openssh (Ubuntu Noble):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Nick Rosbrook (enr0n)
Nick Rosbrook (enr0n)
Changed in openssh (Ubuntu Oracular):
status: Triaged → Fix Committed
Revision history for this message
Nick Rosbrook (enr0n) wrote :

I am planning an SRU for noble in the next couple weeks.

tags: removed: foundations-todo
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:9.7p1-7ubuntu3

---------------
openssh (1:9.7p1-7ubuntu3) oracular; urgency=medium

  * sshd-socket-generator: do not parse server match config (LP: #2076023)

 -- Nick Rosbrook <email address hidden> Tue, 27 Aug 2024 15:54:41 -0400

Changed in openssh (Ubuntu Oracular):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.