Bug#789425: openssh-server: sshd does not start correctly after a system reboot; port set in sshd_config is ignored; default port is used
Package: openssh-server
Version: 1:6.7p1-5
Severity: important
Dear Maintainer,
Recently upgraded to Jessie, which was performed over ssh. After
rebooting the system could not ssh back into the machine; when using the
assigned port in sshd_config, unexpectedly:
$ ssh -v -p 50000 rl@a300
OpenSSH_6.7p1 Debian-6, OpenSSL 1.0.2a 19 Mar 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to a300 [192.168.1.12] port 50000.
debug1: connect to address 192.168.1.12 port 50000: Connection refused
ssh: connect to host a300 port 50000: Connection refused
* Then tried without the port set in sshd_config and was able to login,
unexpectedly:
$ ssh -v rl@a300
OpenSSH_6.7p1 Debian-6, OpenSSL 1.0.2a 19 Mar 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to a300 [192.168.1.12] port 22.
debug1: Connection established.
debug1: identity file /home/michel/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-6
debug1: Remote protocol version 2.0, remote software version
OpenSSH_6.7p1 Debian-5
debug1: match: OpenSSH_6.7p1 Debian-5 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA
ae:48:3a:c7:07:5c:e5:6b:48:93:36:6f:34:26:54:3h
debug1: Host 'a300' is known and matches the RSA host key.
debug1: Found key in /home/michel/.ssh/known_hosts:3
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/michel/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: Authentication succeeded (publickey).
Authenticated to a300 ([192.168.1.12]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
The programs included with the Debian GNU/Linux system are free
software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Sat Jun 20 11:38:42 2015 from x220
* After logging in as root checked a few things.
The status of sshd.service, ssh.socket and ssh.service:
# systemctl status sshd.service
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
Active: inactive (dead)
# systemctl status ssh.socket
● ssh.socket - OpenBSD Secure Shell server socket
Loaded: loaded (/lib/systemd/system/ssh.socket; enabled)
Active: active (listening) since Sat 2015-06-20 13:59:25 EDT; 5min ago
Listen: [::]:22 (Stream)
Accepted: 1; Connected: 1
# systemctl status ssh.service
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
Active: inactive (dead)
That sshd.service, ssh.socket and ssh.service; where starting at boot
time:
# systemctl is-enabled sshd.service
enabled
# systemctl is-enabled ssh.socket
enabled
# systemctl is-enabled ssh.service
enabled
Not sure if the following helps. But also checked with 'sysv-rc-conf'
and it also shows that sshd is starting at boot:
service 1 2 3 4 5 0 6 S
ssh [ ] [X] [X] [X] [X] [ ] [ ] [ ]
And:
# find /etc/rc*.d/ -iname '*ssh*'
/etc/rc2.d/S02ssh
/etc/rc3.d/S02ssh
/etc/rc4.d/S02ssh
/etc/rc5.d/S02ssh
* Then restarted sshd:
# systemctl restart sshd.service
Here is the status of sshd.service, ssh.socket and ssh.service; after
the restart of sshd.service:
# systemctl status sshd.service
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
Active: active (running) since Sat 2015-06-20 14:08:23 EDT; 39s ago
Main PID: 1364 (sshd)
CGroup: /system.slice/ssh.service
└─1364 /usr/sbin/sshd -D
Jun 20 14:08:23 a300 sshd[1364]: Set /proc/self/oom_score_adj from 0 to -1000
Jun 20 14:08:23 a300 sshd[1364]: Server listening on 0.0.0.0 port 50000.
Jun 20 14:08:23 a300 sshd[1364]: Server listening on :: port 50000.
# systemctl status ssh.socket
● ssh.socket - OpenBSD Secure Shell server socket
Loaded: loaded (/lib/systemd/system/ssh.socket; enabled)
Active: inactive (dead) since Sat 2015-06-20 14:08:23 EDT; 2min 11s ago
Listen: [::]:22 (Stream)
Accepted: 1; Connected: 1
# systemctl status ssh.service
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
Active: active (running) since Sat 2015-06-20 14:08:23 EDT; 53s ago
Main PID: 1364 (sshd)
CGroup: /system.slice/ssh.service
└─1364 /usr/sbin/sshd -D
Jun 20 14:08:23 a300 sshd[1364]: Set /proc/self/oom_score_adj from 0 to -1000
Jun 20 14:08:23 a300 sshd[1364]: Server listening on 0.0.0.0 port 50000.
Jun 20 14:08:23 a300 sshd[1364]: Server listening on :: port 50000.
* Now after the restart of sshd.service, can login using the port set in
sshd_config, as expected:
$ ssh -v -p 50000 rl@a300
OpenSSH_6.7p1 Debian-6, OpenSSL 1.0.2a 19 Mar 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to a300 [192.168.1.12] port 50000.
debug1: Connection established.
debug1: identity file /home/michel/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michel/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-6
debug1: Remote protocol version 2.0, remote software version
OpenSSH_6.7p1 Debian-5
debug1: match: OpenSSH_6.7p1 Debian-5 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA
ae:48:3a:c7:07:5c:e5:6b:48:93:36:6f:34:26:54:3h
debug1: checking without port identifier
debug1: Host 'a300' is known and matches the RSA host key.
debug1: Found key in /home/michel/.ssh/known_hosts:3
debug1: found matching key w/out port
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/michel/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: Authentication succeeded (publickey).
Authenticated to a300 ([192.168.1.12]:50000).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
The programs included with the Debian GNU/Linux system are free
software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Sat Jun 20 14:28:37 2015 from x220
* Then tried without the port set in sshd_config and was not able to
login, as expected:
$ ssh -v rl@a300
OpenSSH_6.7p1 Debian-6, OpenSSL 1.0.2a 19 Mar 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to a300 [192.168.1.12] port 22.
debug1: connect to address 192.168.1.12 port 22: Connection refused
ssh: connect to host a300 port 22: Connection refused
Tested the above from two different machines several times, with the
same results each time.
After a reboot of the system, sshd does not start correctly. Can login
without using the port set in sshd_config. Which could be a security
risk, problematic and plain annoying having bots trying to login.
Not sure if this is an openssh-server, systemd issue or something else.
But reported to openssh-server, since one can try logging in with the
default port and also login with proper credentials; even when a different
port is used in sshd_config.
Thank You,
Michel
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.56
ii dpkg 1.17.25
ii init-system-helpers 1.22
ii libc6 2.19-18
ii libcomerr2 1.42.12-1.1
ii libgssapi-krb5-2 1.12.1+dfsg-19
ii libkrb5-3 1.12.1+dfsg-19
ii libpam-modules 1.1.8-3.1
ii libpam-runtime 1.1.8-3.1
ii libpam0g 1.1.8-3.1
ii libselinux1 2.3-2
ii libssl1.0.0 1.0.1k-3+deb8u1
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian13+nmu1
ii openssh-client 1:6.7p1-5
ii openssh-sftp-server 1:6.7p1-5
ii procps 2:3.3.9-9
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages openssh-server recommends:
ii ncurses-term 5.9+20140913-1
ii xauth 1:1.0.9-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information:
* ssh/use_old_init_script: true
ssh/disable_cr_auth: false
openssh-server/permit-root-login: false
ssh/encrypted_host_key_but_no_keygen:
ssh/vulnerable_host_keys:
Reply to: