BTS bugs 778913 and 751636 - possible candidates for bpo
Hi - I've got a request from a customer who uses Jessie in their VMs
to see if I can get fixes for these into bpo:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778913
openssh-server: init (at least systemd) doesn't notice when sshd fails to start
and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751636
ssh sessions are not cleanly terminated on shutdown/restart with systemd
The former has been fixed in 1:7.2p2-5, which is great - I've done a little
digging into the latter and think what's going on is the following:
- If libpam-systemd (optional) is installed, and sshd is configured to
use PAM (the default) then ssh logins are registered with logind
and killed early enough that 751636 doesn't crop up.
- If sshd is not hooked up to PAM, or common-session in PAM doesn't
use libpam-systemd (it's optional there too in the default config)
then ssh logins aren't managed this way, and live on past the network
being deconfigured.
I've dealt with this in the attached debdiff by adding a systemd service
which is "After" network-online.target which reaps ssh login sessions
(but not the main sshd). This seems to deal with the problem described in
the bug, but does not kill ssh sessions when (for example) restarting
the network.
Would you be amenable to accepting the latter fix and uploading the
openssh package to bpo?
If you don't like the fix for the session termination timing, is
there a different approach that you would be more sanguine about?
diff -Nru openssh-7.2p2/debian/changelog openssh-7.2p2/debian/changelog
--- openssh-7.2p2/debian/changelog 2016-04-28 01:52:02.000000000 +0100
+++ openssh-7.2p2/debian/changelog 2016-05-25 18:08:20.000000000 +0100
@@ -1,3 +1,12 @@
+openssh (1:7.2p2-6) unstable; urgency=medium
+
+ * Add a session cleanup script and systemd unit file to trigger it.
+ * Terminates non-PAM ssh sessions cleanly (such sessions only occur
+ if libpam-systemd is not installed and/or sshd is configured not to
+ use PAM (closes: #751636)
+
+ -- Vivek Das Mohapatra <vivek@collabora.com> Wed, 25 May 2016 18:08:19 +0100
+
openssh (1:7.2p2-5) unstable; urgency=medium
* Backport upstream patch to unbreak authentication using lone certificate
diff -Nru openssh-7.2p2/debian/openssh-server.install openssh-7.2p2/debian/openssh-server.install
--- openssh-7.2p2/debian/openssh-server.install 2016-04-28 01:46:06.000000000 +0100
+++ openssh-7.2p2/debian/openssh-server.install 2016-05-25 18:49:31.000000000 +0100
@@ -9,8 +9,11 @@
debian/openssh-server.ufw.profile => etc/ufw/applications.d/openssh-server
debian/systemd/ssh.socket lib/systemd/system
debian/systemd/ssh@.service lib/systemd/system
+debian/systemd/ssh-cleanup.service lib/systemd/system
debian/systemd/sshd.conf usr/lib/tmpfiles.d
+contrib/ssh-session-cleanup usr/lib/openssh
+
# dh_apport would be neater, but at the time of writing it isn't in unstable
# yet.
debian/openssh-server.apport => usr/share/apport/package-hooks/openssh-server.py
diff -Nru openssh-7.2p2/debian/patches/series openssh-7.2p2/debian/patches/series
--- openssh-7.2p2/debian/patches/series 2016-04-28 01:46:10.000000000 +0100
+++ openssh-7.2p2/debian/patches/series 2016-05-25 17:35:05.000000000 +0100
@@ -27,3 +27,4 @@
debian-config.patch
CVE-2015-8325.patch
unbreak-certificate-auth.patch
+terminate-non-pam-sessions-cleanly.patch
diff -Nru openssh-7.2p2/debian/patches/terminate-non-pam-sessions-cleanly.patch openssh-7.2p2/debian/patches/terminate-non-pam-sessions-cleanly.patch
--- openssh-7.2p2/debian/patches/terminate-non-pam-sessions-cleanly.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.2p2/debian/patches/terminate-non-pam-sessions-cleanly.patch 2016-05-25 17:36:13.000000000 +0100
@@ -0,0 +1,24 @@
+--- /dev/null
++++ b/contrib/ssh-session-cleanup
+@@ -0,0 +1,21 @@
++#!/bin/sh
++
++ssh_session_pattern='sshd:\ \S.*@pts/[0-9]+'
++
++IFS="$IFS@";
++pgrep -a -f "$ssh_session_pattern" | while read pid daemon user pty;
++do
++ echo "Found non-PAM ${daemon%:} session $pid on $pty, sending SIGTERM";
++done;
++
++pkill -f "$ssh_session_pattern";
++
++ecode=$?;
++
++if [ $ecode -eq 1 ];
++then
++ echo "No non-PAM ssh sessions found";
++ ecode=0;
++fi;
++
++exit $ecode;
diff -Nru openssh-7.2p2/debian/rules openssh-7.2p2/debian/rules
--- openssh-7.2p2/debian/rules 2016-04-28 01:46:06.000000000 +0100
+++ openssh-7.2p2/debian/rules 2016-05-25 17:50:34.000000000 +0100
@@ -215,6 +215,7 @@
override_dh_systemd_enable:
dh_systemd_enable -popenssh-server --name ssh ssh.service
dh_systemd_enable -popenssh-server --name ssh --no-enable ssh.socket
+ dh_systemd_enable -popenssh-server --name ssh-cleanup ssh-cleanup.service
override_dh_installinit:
dh_installinit -R --name ssh
@@ -232,6 +233,7 @@
override_dh_fixperms-arch:
dh_fixperms
chmod u+s debian/openssh-client/usr/lib/openssh/ssh-keysign
+ chmod 0755 debian/openssh-server/usr/lib/openssh/ssh-session-cleanup
# Tighten libssl dependencies to match the check in entropy.c.
override_dh_shlibdeps:
diff -Nru openssh-7.2p2/debian/systemd/ssh-cleanup.service openssh-7.2p2/debian/systemd/ssh-cleanup.service
--- openssh-7.2p2/debian/systemd/ssh-cleanup.service 1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.2p2/debian/systemd/ssh-cleanup.service 2016-05-25 17:21:42.000000000 +0100
@@ -0,0 +1,13 @@
+[Unit]
+Description=OpenBSD Secure Shell Session Cleanup
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+ExecStart=/bin/true
+ExecStop=/usr/lib/openssh/ssh-session-cleanup
+RemainAfterExit=yes
+Type=oneshot
+
+[Install]
+RequiredBy=multi-user.target
Reply to: