2020-05-01 14:40:54 |
Adriaan van Nijendaal |
bug |
|
|
added bug |
2020-05-01 16:25:10 |
Simon Déziel |
bug |
|
|
added subscriber Simon Déziel |
2020-05-05 10:12:25 |
Paride Legovini |
bug watch added |
|
https://bugzilla.mindrot.org/show_bug.cgi?id=3122 |
|
2020-05-05 10:12:39 |
Paride Legovini |
openssh (Ubuntu): status |
New |
Incomplete |
|
2020-05-05 10:15:59 |
Paride Legovini |
bug |
|
|
added subscriber Ubuntu Server |
2020-05-05 10:16:01 |
Paride Legovini |
bug |
|
|
added subscriber Paride Legovini |
2020-05-23 12:28:34 |
Adriaan van Nijendaal |
bug watch added |
|
https://bugzilla.mindrot.org/show_bug.cgi?id=3169 |
|
2020-05-25 14:39:20 |
Paride Legovini |
bug task added |
|
openssh |
|
2020-05-25 14:41:11 |
Paride Legovini |
openssh (Ubuntu): status |
Incomplete |
Triaged |
|
2020-05-25 14:41:14 |
Paride Legovini |
openssh (Ubuntu): importance |
Undecided |
Low |
|
2020-05-27 18:28:28 |
Lucas Kanashiro |
nominated for series |
|
Ubuntu Focal |
|
2020-05-27 18:28:28 |
Lucas Kanashiro |
bug task added |
|
openssh (Ubuntu Focal) |
|
2020-05-27 18:29:06 |
Lucas Kanashiro |
openssh (Ubuntu Focal): status |
New |
Triaged |
|
2020-05-27 18:29:12 |
Lucas Kanashiro |
openssh (Ubuntu Focal): importance |
Undecided |
Low |
|
2020-05-28 11:58:27 |
Paride Legovini |
tags |
|
server-next |
|
2020-05-29 07:44:31 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/openssh/+git/openssh/+merge/384813 |
|
2020-05-29 07:44:50 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/openssh/+git/openssh/+merge/384814 |
|
2020-06-01 20:58:51 |
Lucas Kanashiro |
openssh (Ubuntu): status |
Triaged |
In Progress |
|
2020-06-01 20:58:54 |
Lucas Kanashiro |
openssh (Ubuntu Focal): status |
Triaged |
In Progress |
|
2020-06-02 10:52:06 |
Christian Ehrhardt |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962035 |
|
2020-06-02 10:52:19 |
Christian Ehrhardt |
bug task added |
|
openssh (Debian) |
|
2020-06-02 17:09:37 |
Bug Watch Updater |
openssh (Debian): status |
Unknown |
New |
|
2020-06-05 21:23:48 |
Launchpad Janitor |
openssh (Ubuntu): status |
In Progress |
Fix Released |
|
2020-06-08 04:44:41 |
Christian Ehrhardt |
description |
On my Ubuntu Server 20.04 LTS with OpenSSH 1:8.2p1-4, I have TWO sshd deamons. One (on port 22) is for internal use, accepts passwords etc. The second (on port 7722) does not allow PAM use and no passwords, allows only one user(name) and uses an alternative autorized_keys file (that only root can edit).
Any parameter FIRST encountered in sshd_config is the one that is accepted; others do not override (like in many other config files). There is one exception: 'Port', which is accumulative. To make life easier, I set the more restrictive parameters for port 7722 first and next include the system-default /etc/ssh/sshd_config.
The /etc/ssh/sshd_config file(s) in Ubuntu Server 20.04 DO NOT specify 'Port' anywhere - the default is 22. But: it is obviously still accumulative: Setting 'Port' to 7722 makes sshd listen on port 7722 AND 22. This is unwanted.
Proposed solution: Remove the accumulative behavior for 'Port' and REQUIRE the 'Port' parameter like before (and maybe have second and later parameters override the earlier ones, like 'everyone else').
Regards,
Adriaan
PS Searching for solutions, I found that specifying 'ListenAddress 0.0.0.0:7722' stops sshd from listening to port 22. This, however, is not documented in 'man 5 sshd_config' and may be an unreliable side-effect. |
[Impact]
* The "Port" option in sshd_config is accumulative, but due to a bug re-
adds the default when an include is encountered. Therefore we have these
cases
a) Port 722
Listens on 722 (correct)
b) Port 722
Port 2222
Listens on 722 & 2222 (correct)
c) Port 722
include /path/to/otherconfig
Listens on 722 & 22 (applied defaults as if Port was unset)
* Of the above (c) is a bug, not documented that way and can lead to open
ports not expected and not wanted.
[Test Case]
* Test if defaults are applied even if option is specified
Rename sshd_config to something_else and replace sshd_config with two lines to include the original config (now called something_else) and set the Port to 7722:
systemctl stop ssh
mv /etc/ssh/sshd_config /etc/ssh/something_else
cat > /etc/ssh/sshd_config <<EOF
Include /etc/ssh/something_else
Port 7722
EOF
systemctl start ssh
systemctl status ssh
# restore the original config:
mv /etc/ssh/something_else /etc/ssh/sshd_config
Which will show:
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2020-05-02 15:31:37 UTC; 13s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 45261 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 45271 (sshd)
Tasks: 1 (limit: 18457)
Memory: 1.3M
CGroup: /system.slice/ssh.service
└─45271 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
May 02 15:31:37 cabernet systemd[1]: Starting OpenBSD Secure Shell server...
May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 7722.
May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 7722.
May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 22.
May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 22.
May 02 15:31:37 cabernet systemd[1]: Started OpenBSD Secure Shell server.
So, NOW it will have ports 22 AND 7722 open!
With the fix this should no more happen.
* Test if multiple options still work
[Regression Potential]
* The change itself isn't very invasive and I don't expect it to break it
with crashes or similar.
But if people didn't realize that this is a bug, they might have a
config in place and somewhat rely on the broken behavior.
It is good thou that (a) (b) of above are the common cases and won't
change.
Further even if a user used (c) the explicitly configured port will
still work.
Fortunately it is early in the Focal lifetime and it was the one
introducting the 'include' feature - therefore I'd expect not too many
people using it yet.
[Other Info]
* n/a
----
On my Ubuntu Server 20.04 LTS with OpenSSH 1:8.2p1-4, I have TWO sshd deamons. One (on port 22) is for internal use, accepts passwords etc. The second (on port 7722) does not allow PAM use and no passwords, allows only one user(name) and uses an alternative autorized_keys file (that only root can edit).
Any parameter FIRST encountered in sshd_config is the one that is accepted; others do not override (like in many other config files). There is one exception: 'Port', which is accumulative. To make life easier, I set the more restrictive parameters for port 7722 first and next include the system-default /etc/ssh/sshd_config.
The /etc/ssh/sshd_config file(s) in Ubuntu Server 20.04 DO NOT specify 'Port' anywhere - the default is 22. But: it is obviously still accumulative: Setting 'Port' to 7722 makes sshd listen on port 7722 AND 22. This is unwanted.
Proposed solution: Remove the accumulative behavior for 'Port' and REQUIRE the 'Port' parameter like before (and maybe have second and later parameters override the earlier ones, like 'everyone else').
Regards,
Adriaan
PS Searching for solutions, I found that specifying 'ListenAddress 0.0.0.0:7722' stops sshd from listening to port 22. This, however, is not documented in 'man 5 sshd_config' and may be an unreliable side-effect. |
|
2020-06-08 07:02:05 |
Bug Watch Updater |
openssh (Debian): status |
New |
Fix Released |
|
2020-06-16 21:14:54 |
Brian Murray |
openssh (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2020-06-16 21:14:56 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-06-16 21:15:00 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2020-06-16 21:15:06 |
Brian Murray |
tags |
server-next |
server-next verification-needed verification-needed-focal |
|
2020-06-17 11:41:43 |
Christian Ehrhardt |
tags |
server-next verification-needed verification-needed-focal |
server-next verification-done verification-done-focal |
|
2020-06-24 00:31:29 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2020-06-24 00:31:49 |
Launchpad Janitor |
openssh (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|