Failed to apply 'Match' directive in sshd_config with sshd-socket-generator
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Medium
|
Nick Rosbrook | ||
Noble |
Fix Released
|
Medium
|
Nick Rosbrook | ||
Oracular |
Fix Released
|
Medium
|
Nick Rosbrook |
Bug Description
[Impact]
When users have a Match section in their sshd config, their configuration cannot be parsed by the sshd-socket-
[Test Plan]
1. On a noble system with sshd installed, create a drop-in config with a Match directive, and run the generator locally:
$ cat > /etc/ssh/
Port 1234
Match LocalPort 22
PasswordAut
EOF
$ /lib/systemd/
'Match LocalPort' in configuration but 'lport' not in connection test specification.
On an affected system, the above error will be shown. On a patched system, the generator will succeed, and ./ssh.socket.
2. A new subtest was added to debian/
[Where problems could occur]
This patch simply removes the code from sshd-socket-
[Original Description]
When using the Match statement in sshd_config or sshd_config.
Environment:
Ubuntu: Ubuntu 24.04 LTS
OpenSSH Server: 1:9.6p1-3ubuntu13.4
Steps to Reproduce:
/etc/ssh/
```
Include /etc/ssh/
Port 22
Port 22222
KbdInteractiveA
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/
Match LocalPort 22222
PasswordAut
PubkeyAuthe
```
command:
sudo systemctl daemon-reload && sudo systemctl restart ssh.socket
Expected Behavior:
sshd should listen on both ports 22 and 22222.
When connecting via port 22222, password login should not be allowed and only public key authentication should be permitted.
Actual Behavior:
sshd only listens on port 22 and not on port 22222. The configuration is not correctly applied.
After daemon-reload, the output from journalctl is as follows:
$ sudo journalctl -t (sd-exec-
Aug 04 12:47:36 ults (sd-exec-[479259]: /usr/lib/
Additional Information:
1.Using sshd -T -C to test the configuration produces the following result:
$ sudo sshd -T -C lport=22 | grep passwordauthent
passwordauthent
$ sudo sshd -T -C lport=22222 | grep passwordauthent
passwordauthent
2.The output when manually running /usr/lib/
$ sudo /usr/lib/
'Match LocalPort' in configuration but 'lport' not in connection test specification.
3.I have test some cases, if sshd-socket-
And I also noticed that there is no test case about the Match directive in https:/
I guess the root cause of the issue lies in the sshd-socket-
And a detailed assessment of potential security issues which caused by this bug is needed.
If socket activation is to be widely adopted, this issue will undoubtedly be a significant stumbling block.
tags: | added: sshd-socket-generator |
tags: | added: no |
tags: |
added: noble removed: no |
Changed in openssh (Ubuntu Oracular): | |
status: | Triaged → Fix Committed |
description: | updated |
description: | updated |
Changed in openssh (Ubuntu Noble): | |
status: | Triaged → In Progress |
Changed in openssh (Ubuntu Noble): | |
status: | Fix Committed → Fix Released |
Thank you for the detailed bug report. I am not yet sure the best way to fix this, but I was able to reproduce using your instructions.