[SRU] walinuxagent breaks sshd configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
walinuxagent (Ubuntu) |
Fix Released
|
Critical
|
Robert C Jennings | ||
Saucy |
Fix Released
|
Critical
|
Unassigned | ||
Trusty |
Fix Released
|
Critical
|
Robert C Jennings |
Bug Description
[Impact]
* Provisioning with the latest walinuxagent will break sshd_config, barring sshd from starting. With ssh access often the only means of access for cloud instances, this is extremely disruptive.
* A backport of this fix is necessary to retain ssh access after re-provisioning an instance hosted on Azure.
* The current waagent command assumes that sshd_config is terminated with a newline when it appends a config option to the file. There is no newline and thus this new configuration option is appended to a current option rendering the config file invalid. The fix is to insert a newline prior to appending to the config file.
[Test Case]
Steps to reproduce
* Become familiar with the last line of sshd_config, `tail /etc/ssh/
It will contain "UsePAM yes" and have new newline at the of the file.
* Install walinuxagent with `apt-get install waagent`
* Force re-provisioning by running `waagent -setup`
* Check the config file with `tail /etc/ssh/
"UsePAM yesClientAliveI
* Confirm that the SSH daemon will fail to start. Test by running `/usr/sbin/sshd`. Expected error output is:
"/etc/
At this point, rebooting the OS will result in loss of SSH access.
* Edit /etc/ssh/
* Verify that ssh can start again `/usr/sbin/sshd`
[Regression Potential]
* Regression risk is extremely low, I can't think of a negative impact of adding an extra newline to the end of the file before appending content.
[Other Info]
* Tested in 14.04 and 13.10, PPA builds can be found at ppa:~rcj/testing for thos packages.
* Repeated re-provisioning will add new newline characters, which will add whitespace prior to the new config option. This whitespace will grow by one line with each re-provisioning; but this is a rare operation. Given the code structure it was far safer to address this by unconditionally adding the newline rather than adding complexity to check that it was absolutely needed.
[ Original Description Follows ]
After installing the latest walinuxagent package on Ubuntu 13.10 I see that we end up with a broken configuration in /etc/ssh/
UsePAM yesClientAliveI
This is the result of the agent package re-running "waagent -setup," which wants to append the "ClientAliveInt
We could fix this bug in the agent to always add "\n" to the front of this parameter (maybe a good idea) or there may be another way to fix this.
Changed in walinuxagent (Ubuntu): | |
assignee: | nobody → Robert C Jennings (rcj) |
assignee: | Robert C Jennings (rcj) → nobody |
Changed in walinuxagent (Ubuntu): | |
status: | New → Incomplete |
status: | Incomplete → Confirmed |
assignee: | nobody → Robert C Jennings (rcj) |
summary: |
- Broken SSHD configuration on Ubuntu 13.10 with latest walinuxagent - update + walinuxagent breaks sshd configuration |
description: | updated |
Changed in walinuxagent (Ubuntu Saucy): | |
importance: | Undecided → Critical |
status: | New → In Progress |
assignee: | nobody → Robert C Jennings (rcj) |
tags: | added: precise regression-update |
Ben, I've attached a proposed patch.