Ubuntu
openssh package

  1. Bug #1876320
  2. Activity log

Activity log for bug #1876320

Date Who What changed Old value New value Message
2020-05-01 14:40:54 Adriaan van Nijendaal bug added bug
2020-05-01 16:25:10 Simon Déziel bug added subscriber Simon Déziel
2020-05-05 10:12:25 Paride Legovini bug watch added https://bugzilla.mindrot.org/show_bug.cgi?id=3122
2020-05-05 10:12:39 Paride Legovini openssh (Ubuntu): status New Incomplete
2020-05-05 10:15:59 Paride Legovini bug added subscriber Ubuntu Server
2020-05-05 10:16:01 Paride Legovini bug added subscriber Paride Legovini
2020-05-23 12:28:34 Adriaan van Nijendaal bug watch added https://bugzilla.mindrot.org/show_bug.cgi?id=3169
2020-05-25 14:39:20 Paride Legovini bug task added openssh
2020-05-25 14:41:11 Paride Legovini openssh (Ubuntu): status Incomplete Triaged
2020-05-25 14:41:14 Paride Legovini openssh (Ubuntu): importance Undecided Low
2020-05-27 18:28:28 Lucas Kanashiro nominated for series Ubuntu Focal
2020-05-27 18:28:28 Lucas Kanashiro bug task added openssh (Ubuntu Focal)
2020-05-27 18:29:06 Lucas Kanashiro openssh (Ubuntu Focal): status New Triaged
2020-05-27 18:29:12 Lucas Kanashiro openssh (Ubuntu Focal): importance Undecided Low
2020-05-28 11:58:27 Paride Legovini tags server-next
2020-05-29 07:44:31 Launchpad Janitor merge proposal linked https://code.launchpad.net/~paelzer/ubuntu/+source/openssh/+git/openssh/+merge/384813
2020-05-29 07:44:50 Launchpad Janitor merge proposal linked https://code.launchpad.net/~paelzer/ubuntu/+source/openssh/+git/openssh/+merge/384814
2020-06-01 20:58:51 Lucas Kanashiro openssh (Ubuntu): status Triaged In Progress
2020-06-01 20:58:54 Lucas Kanashiro openssh (Ubuntu Focal): status Triaged In Progress
2020-06-02 10:52:06 Christian Ehrhardt  bug watch added https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962035
2020-06-02 10:52:19 Christian Ehrhardt  bug task added openssh (Debian)
2020-06-02 17:09:37 Bug Watch Updater openssh (Debian): status Unknown New
2020-06-05 21:23:48 Launchpad Janitor openssh (Ubuntu): status In Progress Fix Released
2020-06-08 04:44:41 Christian Ehrhardt  description On my Ubuntu Server 20.04 LTS with OpenSSH 1:8.2p1-4, I have TWO sshd deamons. One (on port 22) is for internal use, accepts passwords etc. The second (on port 7722) does not allow PAM use and no passwords, allows only one user(name) and uses an alternative autorized_keys file (that only root can edit). Any parameter FIRST encountered in sshd_config is the one that is accepted; others do not override (like in many other config files). There is one exception: 'Port', which is accumulative. To make life easier, I set the more restrictive parameters for port 7722 first and next include the system-default /etc/ssh/sshd_config. The /etc/ssh/sshd_config file(s) in Ubuntu Server 20.04 DO NOT specify 'Port' anywhere - the default is 22. But: it is obviously still accumulative: Setting 'Port' to 7722 makes sshd listen on port 7722 AND 22. This is unwanted. Proposed solution: Remove the accumulative behavior for 'Port' and REQUIRE the 'Port' parameter like before (and maybe have second and later parameters override the earlier ones, like 'everyone else'). Regards, Adriaan PS Searching for solutions, I found that specifying 'ListenAddress 0.0.0.0:7722' stops sshd from listening to port 22. This, however, is not documented in 'man 5 sshd_config' and may be an unreliable side-effect. [Impact] * The "Port" option in sshd_config is accumulative, but due to a bug re- adds the default when an include is encountered. Therefore we have these cases a) Port 722 Listens on 722 (correct) b) Port 722 Port 2222 Listens on 722 & 2222 (correct) c) Port 722 include /path/to/otherconfig Listens on 722 & 22 (applied defaults as if Port was unset) * Of the above (c) is a bug, not documented that way and can lead to open ports not expected and not wanted. [Test Case] * Test if defaults are applied even if option is specified Rename sshd_config to something_else and replace sshd_config with two lines to include the original config (now called something_else) and set the Port to 7722: systemctl stop ssh mv /etc/ssh/sshd_config /etc/ssh/something_else cat > /etc/ssh/sshd_config <<EOF Include /etc/ssh/something_else Port 7722 EOF systemctl start ssh systemctl status ssh # restore the original config: mv /etc/ssh/something_else /etc/ssh/sshd_config Which will show: ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2020-05-02 15:31:37 UTC; 13s ago Docs: man:sshd(8) man:sshd_config(5) Process: 45261 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 45271 (sshd) Tasks: 1 (limit: 18457) Memory: 1.3M CGroup: /system.slice/ssh.service └─45271 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups May 02 15:31:37 cabernet systemd[1]: Starting OpenBSD Secure Shell server... May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 7722. May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 7722. May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 22. May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 22. May 02 15:31:37 cabernet systemd[1]: Started OpenBSD Secure Shell server. So, NOW it will have ports 22 AND 7722 open! With the fix this should no more happen. * Test if multiple options still work [Regression Potential] * The change itself isn't very invasive and I don't expect it to break it with crashes or similar. But if people didn't realize that this is a bug, they might have a config in place and somewhat rely on the broken behavior. It is good thou that (a) (b) of above are the common cases and won't change. Further even if a user used (c) the explicitly configured port will still work. Fortunately it is early in the Focal lifetime and it was the one introducting the 'include' feature - therefore I'd expect not too many people using it yet. [Other Info] * n/a ---- On my Ubuntu Server 20.04 LTS with OpenSSH 1:8.2p1-4, I have TWO sshd deamons. One (on port 22) is for internal use, accepts passwords etc. The second (on port 7722) does not allow PAM use and no passwords, allows only one user(name) and uses an alternative autorized_keys file (that only root can edit). Any parameter FIRST encountered in sshd_config is the one that is accepted; others do not override (like in many other config files). There is one exception: 'Port', which is accumulative. To make life easier, I set the more restrictive parameters for port 7722 first and next include the system-default /etc/ssh/sshd_config. The /etc/ssh/sshd_config file(s) in Ubuntu Server 20.04 DO NOT specify 'Port' anywhere - the default is 22. But: it is obviously still accumulative: Setting 'Port' to 7722 makes sshd listen on port 7722 AND 22. This is unwanted. Proposed solution: Remove the accumulative behavior for 'Port' and REQUIRE the 'Port' parameter like before (and maybe have second and later parameters override the earlier ones, like 'everyone else'). Regards, Adriaan PS Searching for solutions, I found that specifying 'ListenAddress 0.0.0.0:7722' stops sshd from listening to port 22. This, however, is not documented in 'man 5 sshd_config' and may be an unreliable side-effect.
2020-06-08 07:02:05 Bug Watch Updater openssh (Debian): status New Fix Released
2020-06-16 21:14:54 Brian Murray openssh (Ubuntu Focal): status In Progress Fix Committed
2020-06-16 21:14:56 Brian Murray bug added subscriber Ubuntu Stable Release Updates Team
2020-06-16 21:15:00 Brian Murray bug added subscriber SRU Verification
2020-06-16 21:15:06 Brian Murray tags server-next server-next verification-needed verification-needed-focal
2020-06-17 11:41:43 Christian Ehrhardt  tags server-next verification-needed verification-needed-focal server-next verification-done verification-done-focal
2020-06-24 00:31:29 Chris Halse Rogers removed subscriber Ubuntu Stable Release Updates Team
2020-06-24 00:31:49 Launchpad Janitor openssh (Ubuntu Focal): status Fix Committed Fix Released