--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh-server fails to validate configuration before reloading, under systemd
- From: Keller Fuchs <kellerfuchs@hashbang.sh>
- Date: Sat, 24 Jun 2017 16:51:21 +0000
- Message-id: <20170624165121.6678.96086.reportbug@to1.hashbang.sh>
Package: openssh-server
Version: 1:6.7p1-5+deb8u3
Severity: important
Tags: patch jessie stretch sid
Dear maintainers,
The systemd units shipped as part of jessie, stretch and sid do not validate
the sshd_config file before proceeding with reloading or restarting the deamon.
(Note that reloading when the file contains invalid config makes sshd exit.)
As far as I can tell, the old initscripts have the correct behaviour,
so this is a systemd-specific regression.
Please find included a patch that makes `systemctl reload ssh` fail properly
when the configuration is invalid.
Unfortunately, systemd does not support validating configuration before
restarting a service, though an issue has been open for over 1.5 years:
https://github.com/systemd/systemd/issues/2175
Given the severity of the issue (indeed, this can easily result in accidental
loss of administrative access, making the error quite difficult to fix),
please consider shipping the patch in the next point-release.
This was one of the causes of an outage at hashbang.sh, resulting in loss of
SSH access for all users and administrators.
Regards,
kf
-- System Information:
Debian Release: 8.8
APT prefers oldstable
APT policy: (900, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-0.bpo.3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.56
ii dpkg 1.17.27
ii init-system-helpers 1.22
ii libc6 2.19-18+deb8u10
ii libcomerr2 1.42.12-2+b1
ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2
ii libkrb5-3 1.12.1+dfsg-19+deb8u2
ii libpam-modules 1.1.8-3.1+deb8u2
ii libpam-runtime 1.1.8-3.1+deb8u2
ii libpam0g 1.1.8-3.1+deb8u2
ii libselinux1 2.3-2
ii libssl1.0.0 1.0.1t-1+deb8u6
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian13+nmu1
ii openssh-client 1:6.7p1-5+deb8u3
ii openssh-sftp-server 1:6.7p1-5+deb8u3
ii procps 2:3.3.9-9
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages openssh-server recommends:
ii ncurses-term 6.0+20160625-1
ii xauth 1:1.0.9-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- Configuration Files:
/etc/pam.d/sshd changed:
@include common-auth
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so dir=~/Mail standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-password
-- debconf information excluded
diff --git i/debian/systemd/ssh.service w/debian/systemd/ssh.service
index 3df8c64..7351931 100644
--- i/debian/systemd/ssh.service
+++ w/debian/systemd/ssh.service
@@ -6,7 +6,7 @@ ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
-ExecReload=/bin/kill -HUP $MAINPID
+ExecReload=/bin/sh -c '/usr/sbin/sshd -t && /bin/kill -HUP $MAINPID'
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:7.4p1-10+deb9u2
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 865770@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 18 Nov 2017 09:37:22 +0000
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.4p1-10+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 865770 873201 877800
Changes:
openssh (1:7.4p1-10+deb9u2) stretch; urgency=medium
.
* Test configuration before starting or reloading sshd under systemd
(closes: #865770).
* Adjust compatibility patterns for WinSCP to correctly identify versions
that implement only the legacy DH group exchange scheme (closes:
#877800).
* Make "--" before the hostname terminate argument processing after the
hostname too (closes: #873201).
Checksums-Sha1:
46c6f918c4327b76bccf708cb17f078eefa24494 2924 openssh_7.4p1-10+deb9u2.dsc
6daedbfc85b992a406642ceed5d28ba03d8946c8 162256 openssh_7.4p1-10+deb9u2.debian.tar.xz
a17e64964ba0d7882ae4238869ce8ea601736ca7 14817 openssh_7.4p1-10+deb9u2_source.buildinfo
Checksums-Sha256:
450e7daae7dd4e354e80c1d2ea9228e744950ffebce51d0d75fe937be7f54301 2924 openssh_7.4p1-10+deb9u2.dsc
023c2277db76405b85262e05255cd9782b5634dbd861e4ea455872a6da195abe 162256 openssh_7.4p1-10+deb9u2.debian.tar.xz
b328e90f47bd122b83fb21bb98ec369db4394de02008ad9349da3e0b1b85d613 14817 openssh_7.4p1-10+deb9u2_source.buildinfo
Files:
f9a6ea5b78288b85aaeb88973e14a642 2924 net standard openssh_7.4p1-10+deb9u2.dsc
deab53428f04ccc029e69ccdb8e3e208 162256 net standard openssh_7.4p1-10+deb9u2.debian.tar.xz
94443afcdfd7369ec9bb8e49584963ae 14817 net standard openssh_7.4p1-10+deb9u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAloP/80ACgkQOTWH2X2G
UAs6zA/+Nk5oU8m40tIwQqV0aqc3KUbz1tcU3AUvUeLLS0MuMBwnsbPYMeWscUIo
nlPQo6cmt68G90t5owij2FuLDMwR0Osvv7ZaFouyF3HVEkRlRrSBRv1erkY/g8D1
J4p9VHZozsGcDXSbliqcU9Py7Q4ARISNs8/JOTEyoseUGQWONZvYZhLsVMnaRI0d
GO5/CJ+EBm8CdI1ewjqb+ZXnzkXNFWB02+2Q7tvY5BcjASfnzOhZgnX6dZ/tID+C
KsNGRdVBLGAIupVMrHWRi56ywATZa2BSX1KdLI03GmbJ4TZXXX76NK4jk0SIxamB
wZt2bb4SROlj5rWb4ZvjfnNsUPOWsoJeneh8aUYclVmHJi/pTR1OPJIo1FCU2LPM
54sXTD9Xw9mfGtkiAwjdY8zKqt0ciDqS7RaQWnzVFT/Zd/O/CFcP7Fb+N6V9DbBx
bRs9i2GmYQm2ab6umwKPk2/t0OBPt4INANoCsfHTWiRLvZb2DwGTAMPq3MXtDbzk
3yrDsCpwk/13T9PX+uP714NuttTccdI7WhF6G9/dVnV3Y22TkU+VFXkawceZLqI1
/fIGGQsASe/R0cuWxjlQFi4u+kiq0M9uqbmwYM9il8Fg7dX/CIen898JNOmdaG28
ErKAOWMt1NgX9yRbXBi8Ftp6KSPsZXOF9+fju99zYTUTlE4pzu8=
=Y5rU
-----END PGP SIGNATURE-----
--- End Message ---