Re: Backport Request: Backport openssh-server-9.2p1-2 to bullseye

To: debian-user@lists.debian.org
Subject: Re: Backport Request: Backport openssh-server-9.2p1-2 to bullseye
From: Greg Wooledge <greg@wooledge.org>
Date: Thu, 16 Feb 2023 07:19:48 -0500
Message-id: <[🔎] Y+4fZB1GxS6LUZSj@wooledge.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] CABP7cfEC3pNRToVdMQ_G3qhUCchSz6gAmRFGRy8msAj24F01Nw@mail.gmail.com>
References: <[🔎] CABP7cfEC3pNRToVdMQ_G3qhUCchSz6gAmRFGRy8msAj24F01Nw@mail.gmail.com>

On Thu, Feb 16, 2023 at 01:56:05PM +0530, jadhav vishwanath wrote:
> The ssh timeout functionality was removed in the OpenSSH-server-8.4, Now
> this functionality has been fixed(restored) in OpenSSH-server-9.2 (refer
> <https://bugzilla.mindrot.org/show_bug.cgi?id=3182#c5>) released in Debian
> bookworm.

The inactivity timeout is a *new feature* in OpenSSH 9.2 as
the site you linked to clearly indicates.  It also links to
<https://www.openssh.com/releasenotes.html#9.2> which goes into more
detail about the new feature.

> The functionality was working properly in Buster and as per the
> fix it is restored in bookworm.

This is completely false.  You were perhaps exploiting some kind of bug
or accidental feature in the old version.  As your own link says,

  Killing the connection because of inactivity was never the specified
  function of ClientAliveInterval and that it happened to work that way
  was an accident.

Just installing the new version is not going to restore the accidental
functionality you were exploiting.  You will need to set up the new
feature explicitly.

> It would be great if we can backport the
> fix to Debian bullseye as well. From a security point of view,
> functionality has high importance.

If your manager or overseeing committee has a fetish for idle timeouts
on ssh connections (this is not the first time I've heard of such a
thing), then that's more of a "you" problem than something all of the
users of Debian would care about.

As such, I'd suggest that *you* backport the newer openssh-server to
your system, or compile the upstream OpenSSH and install that.

I've had to use upstream OpenSSH due to incompetent overseers who
do not understand how Debian's security team works (their probes only
look at the upstream component of the version number and say "hey, this
one is vulnerable").  So I can definitely sympathize a little, albeit not
on this *particular* misfeature.  I can also state with experience that
compiling and installing upstream OpenSSH is not too difficult to do.
Getting the systemd unit file correct is by far the hardest part of it.

Building it yourself will give you full control over the local situation,
so you won't have to come back here asking for yet another official
backport when your overseeing committee decides that you need version
9.2.2 or something.  You'll be able to handle it yourself.

Reply to:

References:
- Backport Request: Backport openssh-server-9.2p1-2 to bullseye
  - From: jadhav vishwanath <jvishwanath66@gmail.com>

Prev by Date: Why users uninstall avahi
Next by Date: Re: Partitioning an SSD?
Previous by thread: Backport Request: Backport openssh-server-9.2p1-2 to bullseye
Next by thread: try to cleanup
Index(es):
- Date
- Thread