Bug#791638: openssh-server: Comment lines breaking configuration; 'match user' block being broken by comment lines

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#791638: openssh-server: Comment lines breaking configuration; 'match user' block being broken by comment lines
From: Jesse Molina <jesse@opendreams.net>
Date: Mon, 06 Jul 2015 18:47:38 -0700
Message-id: <[🔎] 20150707014738.17166.89328.reportbug@paran.lan>
Reply-to: Jesse Molina <jesse@opendreams.net>, 791638@bugs.debian.org

Package: openssh-server
Version: 1:6.7p1-6
Severity: normal

Since yesterday I have been experimenting with strange sshd_config behavior. After testing extensively, I believe that comment lines are somehow breaking my configuration.

My sshd_config is below:

--

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
# LogLevel INFO
LogLevel DEBUG3

# Authentication:
LoginGraceTime 120
# PermitRootLogin without-password
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# --

# Process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
#DenyUsers
#AllowUsers
#DenyGroups
AllowGroups root users


ClientAliveInterval 15
ClientAliveCountMax 8

PermitOpen none

match group root, group users
	PermitOpen any

match user badtouch
 	PermitOpen none
	AuthenticationMethods publickey
	AllowTcpForwarding no
	PermitTunnel no
	GatewayPorts no
# X11Forwarding no
# AllowAgentForwarding no
# PermitTTY no
# ForceCommand echo nope

# foo

# bar


--

In this condition, the baduser user is not able to log in/authenticate and ssh client exits 255.

However, if we delete the lines under "GatewayPorts no" the user is then able to log in and execute commands.

I strongly suspect there is something wrong with the "match" block config interpreter. I am having other problems with match blocks on another host, very similar to bug 629853. 

Debugging output indicates there is definitely something stopping the interpreter. There is a clear differnce in debug output when the comment lines at the end of the file are removed.


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  dpkg                   1.18.1
ii  init-system-helpers    1.23
ii  libc6                  2.19-18
ii  libcomerr2             1.42.13-1
ii  libgssapi-krb5-2       1.13.2+dfsg-2
ii  libkrb5-3              1.13.2+dfsg-2
ii  libpam-modules         1.1.8-3.1
ii  libpam-runtime         1.1.8-3.1
ii  libpam0g               1.1.8-3.1
ii  libselinux1            2.3-2+b1
ii  libssl1.0.0            1.0.2c-1
ii  libwrap0               7.6.q-25
ii  lsb-base               4.1+Debian13+nmu1
ii  openssh-client         1:6.7p1-6
ii  openssh-sftp-server    1:6.7p1-6
ii  procps                 2:3.3.10-2
ii  zlib1g                 1:1.2.8.dfsg-2+b1

Versions of packages openssh-server recommends:
ii  ncurses-term  5.9+20150516-2
ii  xauth         1:1.0.9-1

Versions of packages openssh-server suggests:
ii  molly-guard   0.5.1-1
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf-show failed

Reply to:

Prev by Date: Bug#751636: ssh sessions are not cleanly terminated on shutdown/restart with systemd
Next by Date: Bug#791638: update bug 791638
Previous by thread: squeeze update of openssh?
Next by thread: Bug#791638: update bug 791638
Index(es):
- Date
- Thread