2023-03-20 17:40:22 |
Gerard Weatherby |
bug |
|
|
added bug |
2023-03-21 12:49:25 |
Lucas Kanashiro |
openssh (Ubuntu): status |
New |
Incomplete |
|
2023-03-23 09:58:42 |
Gerard Weatherby |
attachment added |
|
fail https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2012298/+attachment/5656819/+files/fail |
|
2023-03-23 09:59:16 |
Gerard Weatherby |
attachment added |
|
cweatherby.conf https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2012298/+attachment/5656820/+files/cweatherby.conf |
|
2023-03-23 09:59:45 |
Gerard Weatherby |
attachment added |
|
work https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2012298/+attachment/5656821/+files/work |
|
2023-03-24 16:29:43 |
Lena Voytek |
nominated for series |
|
Ubuntu Focal |
|
2023-03-24 16:29:43 |
Lena Voytek |
bug task added |
|
openssh (Ubuntu Focal) |
|
2023-03-24 16:29:48 |
Lena Voytek |
openssh (Ubuntu): status |
Incomplete |
Fix Released |
|
2023-03-24 16:29:52 |
Lena Voytek |
openssh (Ubuntu Focal): status |
New |
Confirmed |
|
2023-03-24 16:30:02 |
Lena Voytek |
tags |
amd64 apport-bug focal |
amd64 apport-bug focal server-todo |
|
2023-03-24 16:30:11 |
Lena Voytek |
bug |
|
|
added subscriber Ubuntu Server |
2023-03-30 16:21:42 |
Paride Legovini |
openssh (Ubuntu Focal): status |
Confirmed |
Triaged |
|
2023-03-30 16:21:53 |
Paride Legovini |
bug watch added |
|
https://bugzilla.mindrot.org/show_bug.cgi?id=3122 |
|
2023-03-30 16:21:53 |
Paride Legovini |
bug task added |
|
openssh |
|
2023-03-31 21:39:34 |
Lena Voytek |
openssh (Ubuntu Focal): assignee |
|
Lena Voytek (lvoytek) |
|
2023-03-31 21:39:37 |
Lena Voytek |
openssh (Ubuntu Focal): status |
Triaged |
In Progress |
|
2023-04-03 22:30:08 |
Lena Voytek |
description |
The stanza
Match User <username>
PasswordAuthentication no
in /etc/ssh/sshd_config works as expected.
The same stanza in /etc/ssh/sshd_config.d/username.conf does not work.
The Include in /etc/ssh/sshd_config is not commented out, and
/usr/sbin/sshd -D -ddd
shows the username.config file being parsed.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: openssh-server 1:8.2p1-4ubuntu0.5
ProcVersionSignature: Ubuntu 5.4.0-131.147-generic 5.4.210
Uname: Linux 5.4.0-131-generic x86_64
NonfreeKernelModules: falcon_lsm_serviceable falcon_nf_netcontain falcon_kal falcon_lsm_pinned_14713
ApportVersion: 2.20.11-0ubuntu27.25
Architecture: amd64
CasperMD5CheckResult: skip
Date: Mon Mar 20 13:34:14 2023
InstallationDate: Installed on 2022-11-04 (136 days ago)
InstallationMedia:
SSHDConfig: Error: command ['pkexec', '/usr/sbin/sshd', '-T'] failed with exit code 127: pkexec must be setuid root
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
When using the "Match" phrase in sshd_config.d files, the configuration does not apply. This leads to failures in user-specific configurations such as with PasswordAuthentication.
The fix for this issue should be added to Focal to allow users to use Match as expected.
The bug is fixed by backporting an upstream commit that includes custom config files then runs all matches provided.
[Test Plan]
$ lxc launch images:ubuntu/focal test-ssh-focal
$ lxc exec test-ssh-focal bash
# apt update && apt upgrade -y
# apt install openssh-server
# adduser user
> ssh into container from another terminal to show pw auth is available by default:
$ ssh user@<container-ip>
user@<container-ip>'s password:
# cat <<EOF >/etc/ssh/sshd_config.d/user.conf
Match User user
PasswordAuthentication No
Match All
EOF
# systemctl restart sshd
> Check again in other terminal
$ ssh user@<container-ip>
> Before the fix, it will show:
user@<container-ip>'s password:
> After, it will show
user@<container-ip>: Permission denied (publickey).
[Where problems could occur]
If problems were to occour, they would be in the interpretation of configuration files. All changes from this fix exist in servconf.c. The largest part of this change is a move from the inc_flags variable being an integer to an integer pointer, so problems could show up through changes to the flags in the pass by reference.
[Other Info]
This issue has already been fixed in Jammy and later, as it was fixed in upstream version 8.4.
[Original Description]
The stanza
Match User <username>
PasswordAuthentication no
in /etc/ssh/sshd_config works as expected.
The same stanza in /etc/ssh/sshd_config.d/username.conf does not work.
The Include in /etc/ssh/sshd_config is not commented out, and
/usr/sbin/sshd -D -ddd
shows the username.config file being parsed.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: openssh-server 1:8.2p1-4ubuntu0.5
ProcVersionSignature: Ubuntu 5.4.0-131.147-generic 5.4.210
Uname: Linux 5.4.0-131-generic x86_64
NonfreeKernelModules: falcon_lsm_serviceable falcon_nf_netcontain falcon_kal falcon_lsm_pinned_14713
ApportVersion: 2.20.11-0ubuntu27.25
Architecture: amd64
CasperMD5CheckResult: skip
Date: Mon Mar 20 13:34:14 2023
InstallationDate: Installed on 2022-11-04 (136 days ago)
InstallationMedia:
SSHDConfig: Error: command ['pkexec', '/usr/sbin/sshd', '-T'] failed with exit code 127: pkexec must be setuid root
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2023-04-03 22:44:20 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/openssh/+git/openssh/+merge/440279 |
|
2023-04-05 19:45:18 |
Lena Voytek |
description |
[Impact]
When using the "Match" phrase in sshd_config.d files, the configuration does not apply. This leads to failures in user-specific configurations such as with PasswordAuthentication.
The fix for this issue should be added to Focal to allow users to use Match as expected.
The bug is fixed by backporting an upstream commit that includes custom config files then runs all matches provided.
[Test Plan]
$ lxc launch images:ubuntu/focal test-ssh-focal
$ lxc exec test-ssh-focal bash
# apt update && apt upgrade -y
# apt install openssh-server
# adduser user
> ssh into container from another terminal to show pw auth is available by default:
$ ssh user@<container-ip>
user@<container-ip>'s password:
# cat <<EOF >/etc/ssh/sshd_config.d/user.conf
Match User user
PasswordAuthentication No
Match All
EOF
# systemctl restart sshd
> Check again in other terminal
$ ssh user@<container-ip>
> Before the fix, it will show:
user@<container-ip>'s password:
> After, it will show
user@<container-ip>: Permission denied (publickey).
[Where problems could occur]
If problems were to occour, they would be in the interpretation of configuration files. All changes from this fix exist in servconf.c. The largest part of this change is a move from the inc_flags variable being an integer to an integer pointer, so problems could show up through changes to the flags in the pass by reference.
[Other Info]
This issue has already been fixed in Jammy and later, as it was fixed in upstream version 8.4.
[Original Description]
The stanza
Match User <username>
PasswordAuthentication no
in /etc/ssh/sshd_config works as expected.
The same stanza in /etc/ssh/sshd_config.d/username.conf does not work.
The Include in /etc/ssh/sshd_config is not commented out, and
/usr/sbin/sshd -D -ddd
shows the username.config file being parsed.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: openssh-server 1:8.2p1-4ubuntu0.5
ProcVersionSignature: Ubuntu 5.4.0-131.147-generic 5.4.210
Uname: Linux 5.4.0-131-generic x86_64
NonfreeKernelModules: falcon_lsm_serviceable falcon_nf_netcontain falcon_kal falcon_lsm_pinned_14713
ApportVersion: 2.20.11-0ubuntu27.25
Architecture: amd64
CasperMD5CheckResult: skip
Date: Mon Mar 20 13:34:14 2023
InstallationDate: Installed on 2022-11-04 (136 days ago)
InstallationMedia:
SSHDConfig: Error: command ['pkexec', '/usr/sbin/sshd', '-T'] failed with exit code 127: pkexec must be setuid root
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
When using the "Match" phrase in sshd_config.d files, the configuration does not apply. This leads to failures in user-specific configurations such as with PasswordAuthentication.
The fix for this issue should be added to Focal to allow users to use Match as expected.
The bug is fixed by backporting an upstream commit that includes custom config files then runs all matches provided. It updates the function for reading in config files with checks for matches, and, if the correct flags are marked, the match will then be handled accordingly.
[Test Plan]
$ lxc launch images:ubuntu/focal test-ssh-focal
$ lxc exec test-ssh-focal bash
# apt update && apt upgrade -y
# apt install openssh-server
# adduser user
> ssh into container from another terminal to show pw auth is available by default. You can get the ip through 'ip addr' in the container or 'lxc list' outside.
$ ssh user@<container-ip>
user@<container-ip>'s password:
# cat <<EOF >/etc/ssh/sshd_config.d/user.conf
Match User user
PasswordAuthentication No
Match All
EOF
# systemctl restart sshd
> Check again in other terminal
$ ssh user@<container-ip>
> Before the fix, it will show:
user@<container-ip>'s password:
> After, it will show
user@<container-ip>: Permission denied (publickey).
[Where problems could occur]
If problems were to occur, they would be in the interpretation of configuration files. All changes from this fix exist in servconf.c. The largest part of this change is a move from the inc_flags variable being an integer to an integer pointer, so problems could show up through changes to the flags in the pass by reference. Going over the change to pointer usage visually, all instances within the process_server_config_line_depth function are modified properly, along with the two calls to the function.
[Other Info]
This issue has already been fixed in Jammy and later, as it was fixed in upstream version 8.4.
To use the PPA containing this fix, you can run:
$ sudo apt install -y software-properties-common
$ sudo add-apt-repository -y ppa:lvoytek/openssh-fix-passwordauthentication-config
$ sudo apt update
$ sudo apt upgrade -y
$ sudo systemctl restart sshd
[Original Description]
The stanza
Match User <username>
PasswordAuthentication no
in /etc/ssh/sshd_config works as expected.
The same stanza in /etc/ssh/sshd_config.d/username.conf does not work.
The Include in /etc/ssh/sshd_config is not commented out, and
/usr/sbin/sshd -D -ddd
shows the username.config file being parsed.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: openssh-server 1:8.2p1-4ubuntu0.5
ProcVersionSignature: Ubuntu 5.4.0-131.147-generic 5.4.210
Uname: Linux 5.4.0-131-generic x86_64
NonfreeKernelModules: falcon_lsm_serviceable falcon_nf_netcontain falcon_kal falcon_lsm_pinned_14713
ApportVersion: 2.20.11-0ubuntu27.25
Architecture: amd64
CasperMD5CheckResult: skip
Date: Mon Mar 20 13:34:14 2023
InstallationDate: Installed on 2022-11-04 (136 days ago)
InstallationMedia:
SSHDConfig: Error: command ['pkexec', '/usr/sbin/sshd', '-T'] failed with exit code 127: pkexec must be setuid root
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2023-04-14 22:35:09 |
Steve Langasek |
openssh (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2023-04-14 22:35:11 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-04-14 22:35:14 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2023-04-14 22:35:18 |
Steve Langasek |
tags |
amd64 apport-bug focal server-todo |
amd64 apport-bug focal server-todo verification-needed verification-needed-focal |
|
2023-04-15 01:10:16 |
Gerard Weatherby |
tags |
amd64 apport-bug focal server-todo verification-needed verification-needed-focal |
amd64 apport-bug focal server-todo verification-done-focal verification-needed |
|
2023-04-17 16:21:27 |
Lena Voytek |
tags |
amd64 apport-bug focal server-todo verification-done-focal verification-needed |
amd64 apport-bug focal server-todo verification-done verification-done-focal |
|
2023-05-10 15:07:37 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-05-10 15:07:36 |
Launchpad Janitor |
openssh (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|