[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

BTS bugs 778913 and 751636 - possible candidates for bpo

Hi - I've got a request from a customer who uses Jessie in their VMs
to see if I can get fixes for these into bpo:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778913
openssh-server: init (at least systemd) doesn't notice when sshd fails to start

and

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751636
ssh sessions are not cleanly terminated on shutdown/restart with systemd

The former has been fixed in 1:7.2p2-5, which is great - I've done a little
digging into the latter and think what's going on is the following:

 - If libpam-systemd (optional) is installed, and sshd is configured to
   use PAM (the default) then ssh logins are registered with logind
   and killed early enough that 751636 doesn't crop up.

 - If sshd is not hooked up to PAM, or common-session in PAM doesn't
   use libpam-systemd (it's optional there too in the default config)
   then ssh logins aren't managed this way, and live on past the network
   being deconfigured.

I've dealt with this in the attached debdiff by adding a systemd service
which is "After" network-online.target which reaps ssh login sessions
(but not the main sshd). This seems to deal with the problem described in
the bug, but does not kill ssh sessions when (for example) restarting
the network.

Would you be amenable to accepting the latter fix and uploading the
openssh package to bpo?

If you don't like the fix for the session termination timing, is
there a different approach that you would be more sanguine about?


diff -Nru openssh-7.2p2/debian/changelog openssh-7.2p2/debian/changelog
--- openssh-7.2p2/debian/changelog	2016-04-28 01:52:02.000000000 +0100
+++ openssh-7.2p2/debian/changelog	2016-05-25 18:08:20.000000000 +0100
@@ -1,3 +1,12 @@
+openssh (1:7.2p2-6) unstable; urgency=medium
+
+  * Add a session cleanup script and systemd unit file to trigger it.
+  * Terminates non-PAM ssh sessions cleanly (such sessions only occur
+    if libpam-systemd is not installed and/or sshd is configured not to
+    use PAM (closes: #751636)
+
+ -- Vivek Das Mohapatra <vivek@collabora.com>  Wed, 25 May 2016 18:08:19 +0100
+
 openssh (1:7.2p2-5) unstable; urgency=medium
 
   * Backport upstream patch to unbreak authentication using lone certificate
diff -Nru openssh-7.2p2/debian/openssh-server.install openssh-7.2p2/debian/openssh-server.install
--- openssh-7.2p2/debian/openssh-server.install	2016-04-28 01:46:06.000000000 +0100
+++ openssh-7.2p2/debian/openssh-server.install	2016-05-25 18:49:31.000000000 +0100
@@ -9,8 +9,11 @@
 debian/openssh-server.ufw.profile => etc/ufw/applications.d/openssh-server
 debian/systemd/ssh.socket lib/systemd/system
 debian/systemd/ssh@.service lib/systemd/system
+debian/systemd/ssh-cleanup.service lib/systemd/system
 debian/systemd/sshd.conf usr/lib/tmpfiles.d
 
+contrib/ssh-session-cleanup usr/lib/openssh
+
 # dh_apport would be neater, but at the time of writing it isn't in unstable
 # yet.
 debian/openssh-server.apport => usr/share/apport/package-hooks/openssh-server.py
diff -Nru openssh-7.2p2/debian/patches/series openssh-7.2p2/debian/patches/series
--- openssh-7.2p2/debian/patches/series	2016-04-28 01:46:10.000000000 +0100
+++ openssh-7.2p2/debian/patches/series	2016-05-25 17:35:05.000000000 +0100
@@ -27,3 +27,4 @@
 debian-config.patch
 CVE-2015-8325.patch
 unbreak-certificate-auth.patch
+terminate-non-pam-sessions-cleanly.patch
diff -Nru openssh-7.2p2/debian/patches/terminate-non-pam-sessions-cleanly.patch openssh-7.2p2/debian/patches/terminate-non-pam-sessions-cleanly.patch
--- openssh-7.2p2/debian/patches/terminate-non-pam-sessions-cleanly.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.2p2/debian/patches/terminate-non-pam-sessions-cleanly.patch	2016-05-25 17:36:13.000000000 +0100
@@ -0,0 +1,24 @@
+--- /dev/null
++++ b/contrib/ssh-session-cleanup
+@@ -0,0 +1,21 @@
++#!/bin/sh
++
++ssh_session_pattern='sshd:\ \S.*@pts/[0-9]+'
++
++IFS="$IFS@";
++pgrep -a -f "$ssh_session_pattern" | while read pid daemon user pty;
++do
++    echo "Found non-PAM ${daemon%:} session $pid on $pty, sending SIGTERM";
++done;
++
++pkill -f "$ssh_session_pattern";
++
++ecode=$?;
++
++if [ $ecode -eq 1 ];
++then
++    echo "No non-PAM ssh sessions found";
++    ecode=0;
++fi;
++
++exit $ecode;
diff -Nru openssh-7.2p2/debian/rules openssh-7.2p2/debian/rules
--- openssh-7.2p2/debian/rules	2016-04-28 01:46:06.000000000 +0100
+++ openssh-7.2p2/debian/rules	2016-05-25 17:50:34.000000000 +0100
@@ -215,6 +215,7 @@
 override_dh_systemd_enable:
 	dh_systemd_enable -popenssh-server --name ssh ssh.service
 	dh_systemd_enable -popenssh-server --name ssh --no-enable ssh.socket
+	dh_systemd_enable -popenssh-server --name ssh-cleanup ssh-cleanup.service
 
 override_dh_installinit:
 	dh_installinit -R --name ssh
@@ -232,6 +233,7 @@
 override_dh_fixperms-arch:
 	dh_fixperms
 	chmod u+s debian/openssh-client/usr/lib/openssh/ssh-keysign
+	chmod 0755 debian/openssh-server/usr/lib/openssh/ssh-session-cleanup
 
 # Tighten libssl dependencies to match the check in entropy.c.
 override_dh_shlibdeps:
diff -Nru openssh-7.2p2/debian/systemd/ssh-cleanup.service openssh-7.2p2/debian/systemd/ssh-cleanup.service
--- openssh-7.2p2/debian/systemd/ssh-cleanup.service	1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.2p2/debian/systemd/ssh-cleanup.service	2016-05-25 17:21:42.000000000 +0100
@@ -0,0 +1,13 @@
+[Unit]
+Description=OpenBSD Secure Shell Session Cleanup
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+ExecStart=/bin/true
+ExecStop=/usr/lib/openssh/ssh-session-cleanup
+RemainAfterExit=yes
+Type=oneshot
+
+[Install]
+RequiredBy=multi-user.target
Reply to: