Failed to apply 'Match' directive in sshd_config with sshd-socket-generator

Bug #2076023 reported by Enorize
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
Medium
Nick Rosbrook
Noble
Fix Released
Medium
Nick Rosbrook
Oracular
Fix Released
Medium
Nick Rosbrook

Bug Description

[Impact]

When users have a Match section in their sshd config, their configuration cannot be parsed by the sshd-socket-generator (because there is no connection, hence no connection spec to be matched), and the generator fails. This means no custom config is applied at all.

[Test Plan]

1. On a noble system with sshd installed, create a drop-in config with a Match directive, and run the generator locally:

$ cat > /etc/ssh/sshd_config.d/custom.conf << EOF
Port 1234
Match LocalPort 22
    PasswordAuthentication no
EOF
$ /lib/systemd/system-generators/sshd-socket-generator .
'Match LocalPort' in configuration but 'lport' not in connection test specification.

On an affected system, the above error will be shown. On a patched system, the generator will succeed, and ./ssh.socket.d/addresses.conf will reflect the Port 1234 option.

2. A new subtest was added to debian/tests/sshd-socket-generator, test_match_port. It does the same as the above, and should pass in autopkgtest.

[Where problems could occur]

This patch simply removes the code from sshd-socket-generator that tries to parse the match config. If problems did occur, it would be related to the generator again. Specifically, it would likely be related to missing/unparsed options.

[Original Description]

When using the Match statement in sshd_config or sshd_config.d/*.conf with socket activation(not classic method), sshd does not start as expected.

Environment:

Ubuntu: Ubuntu 24.04 LTS
OpenSSH Server: 1:9.6p1-3ubuntu13.4

Steps to Reproduce:

/etc/ssh/sshd_config
```
Include /etc/ssh/sshd_config.d/*.conf
Port 22
Port 22222
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Match LocalPort 22222
    PasswordAuthentication no
    PubkeyAuthentication yes
```

command:

sudo systemctl daemon-reload && sudo systemctl restart ssh.socket

Expected Behavior:

sshd should listen on both ports 22 and 22222.
When connecting via port 22222, password login should not be allowed and only public key authentication should be permitted.

Actual Behavior:

sshd only listens on port 22 and not on port 22222. The configuration is not correctly applied.

After daemon-reload, the output from journalctl is as follows:

$ sudo journalctl -t (sd-exec-
Aug 04 12:47:36 ults (sd-exec-[479259]: /usr/lib/systemd/system-generators/sshd-socket-generator failed with exit status 255.

Additional Information:

1.Using sshd -T -C to test the configuration produces the following result:
$ sudo sshd -T -C lport=22 | grep passwordauthentication
passwordauthentication yes

$ sudo sshd -T -C lport=22222 | grep passwordauthentication
passwordauthentication no

2.The output when manually running /usr/lib/systemd/system-generators/sshd-socket-generator is:
$ sudo /usr/lib/systemd/system-generators/sshd-socket-generator ./
'Match LocalPort' in configuration but 'lport' not in connection test specification.

3.I have test some cases, if sshd-socket-generator can not handle config rightly, sshd seems to run with default config.

And I also noticed that there is no test case about the Match directive in https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/tests/sshd-socket-generator.

I guess the root cause of the issue lies in the sshd-socket-generator not correctly handling the Match directive.

And a detailed assessment of potential security issues which caused by this bug is needed.

If socket activation is to be widely adopted, this issue will undoubtedly be a significant stumbling block.

Enorize (enorize)
tags: added: sshd-socket-generator
tags: added: no
tags: added: noble
removed: no
Revision history for this message
Nick Rosbrook (enr0n) wrote :

Thank you for the detailed bug report. I am not yet sure the best way to fix this, but I was able to reproduce using your instructions.

Changed in openssh (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Nick Rosbrook (enr0n)
tags: added: foundations-todo
Revision history for this message
Nick Rosbrook (enr0n) wrote :

I took another look, and this turns out to be simpler than I thought. The problem is that we explicitly attempt to parse the server match config (an unnecessary copypasta from sshd -T code path). But, in the generator, we only care about options that affect the listening addresses, and the match section is for modifying settings on a per-connection basis.

Hence, the fix for this is to just not attempt to parse the match config, as it requires a connection spec, which we cannot have at generator time.

Changed in openssh (Ubuntu Oracular):
status: Confirmed → Triaged
Changed in openssh (Ubuntu Noble):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Nick Rosbrook (enr0n)
Nick Rosbrook (enr0n)
Changed in openssh (Ubuntu Oracular):
status: Triaged → Fix Committed
Revision history for this message
Nick Rosbrook (enr0n) wrote :

I am planning an SRU for noble in the next couple weeks.

tags: removed: foundations-todo
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:9.7p1-7ubuntu3

---------------
openssh (1:9.7p1-7ubuntu3) oracular; urgency=medium

  * sshd-socket-generator: do not parse server match config (LP: #2076023)

 -- Nick Rosbrook <email address hidden> Tue, 27 Aug 2024 15:54:41 -0400

Changed in openssh (Ubuntu Oracular):
status: Fix Committed → Fix Released
Nick Rosbrook (enr0n)
description: updated
Nick Rosbrook (enr0n)
description: updated
Nick Rosbrook (enr0n)
Changed in openssh (Ubuntu Noble):
status: Triaged → In Progress
Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello Enorize, or anyone else affected,

Accepted openssh into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openssh (Ubuntu Noble):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-noble
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (openssh/1:9.6p1-3ubuntu13.6)

All autopkgtests for the newly accepted openssh (1:9.6p1-3ubuntu13.6) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

crmsh/unknown (i386)
debvm/unknown (amd64)
fence-agents/4.12.1-2~exp1ubuntu4 (amd64)
freedombox/unknown (amd64)
g10k/unknown (amd64)
gvfs/unknown (amd64)
libnet-scp-perl/unknown (amd64)
libnet-sftp-foreign-perl/unknown (amd64)
libnetapp-perl/unknown (amd64)
nova/unknown (i386)
pkg-perl-tools/0.78 (amd64, armhf)
rancid/unknown (amd64)
tinyssh/20240101-2 (amd64, armhf)
ubuntu-boot-test/2 (amd64)
vorta/unknown (amd64)
wcc/unknown (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Nick Rosbrook (enr0n) wrote :
Download full text (4.7 KiB)

I have verified this fix using openssh-server 1:9.6p1-3ubuntu13.6 from noble-proposed.

I created a container and enabled noble-proposed:

nr@six:~$ lxc launch ubuntu:noble noble
Launching noble
nr@six:~$ lxc exec noble bash
root@noble:~# cat > /etc/apt/sources.list.d/proposed.sources << EOF
Types: deb
URIs: http://us.archive.ubuntu.com/ubuntu/
Suites: noble-proposed
Components: main universe
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
EOF
root@noble:~# apt update
Get:1 http://us.archive.ubuntu.com/ubuntu noble-proposed InRelease [265 kB]
Hit:2 http://security.ubuntu.com/ubuntu noble-security InRelease
Get:3 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages [180 kB]
Hit:4 http://archive.ubuntu.com/ubuntu noble InRelease
Get:5 http://us.archive.ubuntu.com/ubuntu noble-proposed/main Translation-en [48.6 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Components [22.0 kB]
Get:7 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 c-n-f Metadata [3556 B]
Get:8 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Packages [650 kB]
Hit:9 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:10 http://archive.ubuntu.com/ubuntu noble-backports InRelease
Get:11 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe Translation-en [79.1 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Components [68.0 kB]
Get:13 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 c-n-f Metadata [10.7 kB]
Fetched 1326 kB in 1s (1190 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
16 packages can be upgraded. Run 'apt list --upgradable' to see them.

Then I created the drop-in and confirmed the CURRENT version fails:

root@noble:~# cat > /etc/ssh/sshd_config.d/custom.conf << EOF
Port 1234
Match LocalPort 22
    PasswordAuthentication no
EOF
root@noble:~# /lib/systemd/system-generators/sshd-socket-generator .
'Match LocalPort' in configuration but 'lport' not in connection test specification.

Then I installed the new openssh-server, and confirmed the issue went away:

root@noble:~# apt install -t noble-proposed openssh-server -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  openssh-client openssh-sftp-server
Suggested packages:
  keychain libpam-ssh monkeysphere ssh-askpass molly-guard
The following packages will be upgraded:
  openssh-client openssh-server openssh-sftp-server
3 upgraded, 0 newly installed, 0 to remove and 71 not upgraded.
Need to get 1451 kB of archives.
After this operation, 1024 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-sftp-server amd64 1:9.6p1-3ubuntu13.6 [37.3 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-server amd64 1:9.6p1-3ubuntu13.6 [509 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-client amd64 1:9.6...

Read more...

Revision history for this message
Nick Rosbrook (enr0n) wrote (last edit ):

Unfortunately, I just found a mistake in my upload regarding the autopkgtest. The test_match_on_port test case was added to d/t/sshd-socket-generator, but it not actually called due to a mistake.

I personally feel confident in the fix given the manual test case, but it should be relatively easy to fix in a follow-on upload if needed.

Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello Enorize, or anyone else affected,

Accepted openssh into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (openssh/1:9.6p1-3ubuntu13.7)

All autopkgtests for the newly accepted openssh (1:9.6p1-3ubuntu13.7) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

crmsh/4.6.0-1ubuntu2 (amd64)
crmsh/unknown (i386)
fence-agents/unknown (amd64)
keychain/unknown (i386)
openmpi/4.1.6-7ubuntu2 (amd64)
openssh/1:9.6p1-3ubuntu13.7 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Nick Rosbrook (enr0n) wrote (last edit ):

With the test case fixed, the verification is complete. E.g., I see in the log[1]:

2187s autopkgtest [03:09:47]: test sshd-socket-generator: [-----------------------
2188s test_default...PASS
2188s test_custom_port...PASS
2188s test_default_and_custom_port...PASS
2188s test_mutiple_custom_ports...PASS
2188s test_custom_listenaddress...PASS
2188s test_custom_listenaddress_and_port...PASS
2188s test_custom_ipv6_listenaddress...PASS
2188s test_custom_family_ipv4...PASS
2188s test_custom_family_ipv6...PASS
2188s test_custom_port_and_family_ipv4...PASS
2188s test_custom_port_and_family_ipv6...PASS
2188s test_match_on_port...PASS
2188s autopkgtest [03:09:48]: test sshd-socket-generator: -----------------------]
2188s autopkgtest [03:09:48]: test sshd-socket-generator: - - - - - - - - - - results - - - - - - - - - -

Specifically, the test_match_on_port case runs and passes now.

[1] https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/amd64/o/openssh/20241025_031157_bb375@/log.gz

tags: added: verification-done verification-done-noble
removed: verification-needed verification-needed-noble
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:9.6p1-3ubuntu13.7

---------------
openssh (1:9.6p1-3ubuntu13.7) noble; urgency=medium

  * d/t/sshd-socket-generator: run test_match_on_port test
    The test case was added to verify the fix for LP: 2076023,
    but it is not actually executed at the moment. Now that
    it does run, fix the grep commands used.

openssh (1:9.6p1-3ubuntu13.6) noble; urgency=medium

  * Explicitly listen on IPv4 by default, with socket-activated sshd
    (LP: #2080216)
    - d/systemd/ssh.socket: explicitly listen on ipv4 by default
    - d/t/sshd-socket-generator: update for new defaults and AddressFamily
    - sshd-socket-generator: handle new ssh.socket default settings
  * sshd-socket-generator: do not parse server match config
    (LP: #2076023)
  * d/p/systemd-socket-activation.patch: don't clear rexec_flag
    (LP: #2071815)
  * d/p/sshd-socket-generator.patch: add note to sshd_config
    Explain that a systemctl daemon-reload is needed for changes
    to Port et al to take effect.
    (LP: #2069041)
  * debian/openssh-server.ucf-md5sum: add new checksums for sshd_config

 -- Nick Rosbrook <email address hidden> Wed, 23 Oct 2024 14:19:51 -0400

Changed in openssh (Ubuntu Noble):
status: Fix Committed → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote : Update Released

The verification of the Stable Release Update for openssh has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

1:9.6p1-3ubuntu13.7 was moved back to noble-proposed due to a possible regression[1] that is being investigated. Setting the bug tasks back to fix committed.

1:9.6p1-3ubuntu13.5 was restored in noble-updates.

1. https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2087551

Changed in openssh (Ubuntu Noble):
status: Fix Released → Fix Committed
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Adding block-proposed-noble to avoid accidental release while the regression in https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2087551 is investigated.

tags: added: block-proposed-noble
Changed in openssh (Ubuntu Noble):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.