Bug#865770: marked as done (openssh-server fails to validate configuration before reloading, under systemd)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 18 Nov 2017 21:32:08 +0000
with message-id <E1eGAie-000HKF-Jv@fasolo.debian.org>
and subject line Bug#865770: fixed in openssh 1:7.4p1-10+deb9u2
has caused the Debian Bug report #865770,
regarding openssh-server fails to validate configuration before reloading, under systemd
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
865770: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865770
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh-server fails to validate configuration before reloading, under systemd
• From: Keller Fuchs <kellerfuchs@hashbang.sh>
• Date: Sat, 24 Jun 2017 16:51:21 +0000
• Message-id: <20170624165121.6678.96086.reportbug@to1.hashbang.sh>

Package: openssh-server
Version: 1:6.7p1-5+deb8u3
Severity: important
Tags: patch jessie stretch sid

Dear maintainers,

The systemd units shipped as part of jessie, stretch and sid do not validate
the sshd_config file before proceeding with reloading or restarting the deamon.
(Note that reloading when the file contains invalid config makes sshd exit.)

As far as I can tell, the old initscripts have the correct behaviour,
so this is a systemd-specific regression.


Please find included a patch that makes `systemctl reload ssh` fail properly
when the configuration is invalid.

Unfortunately, systemd does not support validating configuration before
restarting a service, though an issue has been open for over 1.5 years:

    https://github.com/systemd/systemd/issues/2175


Given the severity of the issue (indeed, this can easily result in accidental
loss of administrative access, making the error quite difficult to fix),
please consider shipping the patch in the next point-release.

This was one of the causes of an outage at hashbang.sh, resulting in loss of
SSH access for all users and administrators.


Regards,

  kf


-- System Information:
Debian Release: 8.8
  APT prefers oldstable
  APT policy: (900, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-0.bpo.3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  dpkg                   1.17.27
ii  init-system-helpers    1.22
ii  libc6                  2.19-18+deb8u10
ii  libcomerr2             1.42.12-2+b1
ii  libgssapi-krb5-2       1.12.1+dfsg-19+deb8u2
ii  libkrb5-3              1.12.1+dfsg-19+deb8u2
ii  libpam-modules         1.1.8-3.1+deb8u2
ii  libpam-runtime         1.1.8-3.1+deb8u2
ii  libpam0g               1.1.8-3.1+deb8u2
ii  libselinux1            2.3-2
ii  libssl1.0.0            1.0.1t-1+deb8u6
ii  libwrap0               7.6.q-25
ii  lsb-base               4.1+Debian13+nmu1
ii  openssh-client         1:6.7p1-5+deb8u3
ii  openssh-sftp-server    1:6.7p1-5+deb8u3
ii  procps                 2:3.3.9-9
ii  zlib1g                 1:1.2.8.dfsg-2+b1

Versions of packages openssh-server recommends:
ii  ncurses-term  6.0+20160625-1
ii  xauth         1:1.0.9-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- Configuration Files:
/etc/pam.d/sshd changed:
@include common-auth
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
@include common-session
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    optional     pam_mail.so dir=~/Mail standard noenv # [1]
session    required     pam_limits.so
session    required     pam_env.so # [1]
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
@include common-password


-- debconf information excluded

diff --git i/debian/systemd/ssh.service w/debian/systemd/ssh.service
index 3df8c64..7351931 100644
--- i/debian/systemd/ssh.service
+++ w/debian/systemd/ssh.service
@@ -6,7 +6,7 @@ ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
 [Service]
 EnvironmentFile=-/etc/default/ssh
 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
-ExecReload=/bin/kill -HUP $MAINPID
+ExecReload=/bin/sh -c '/usr/sbin/sshd -t && /bin/kill -HUP $MAINPID'
 KillMode=process
 Restart=on-failure
 RestartPreventExitStatus=255

--- End Message ---

--- Begin Message ---

• To: 865770-close@bugs.debian.org
• Subject: Bug#865770: fixed in openssh 1:7.4p1-10+deb9u2
• From: Colin Watson <cjwatson@debian.org>
• Date: Sat, 18 Nov 2017 21:32:08 +0000
• Message-id: <E1eGAie-000HKF-Jv@fasolo.debian.org>

Source: openssh
Source-Version: 1:7.4p1-10+deb9u2

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 865770@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 18 Nov 2017 09:37:22 +0000
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.4p1-10+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 865770 873201 877800
Changes:
 openssh (1:7.4p1-10+deb9u2) stretch; urgency=medium
 .
   * Test configuration before starting or reloading sshd under systemd
     (closes: #865770).
   * Adjust compatibility patterns for WinSCP to correctly identify versions
     that implement only the legacy DH group exchange scheme (closes:
     #877800).
   * Make "--" before the hostname terminate argument processing after the
     hostname too (closes: #873201).
Checksums-Sha1:
 46c6f918c4327b76bccf708cb17f078eefa24494 2924 openssh_7.4p1-10+deb9u2.dsc
 6daedbfc85b992a406642ceed5d28ba03d8946c8 162256 openssh_7.4p1-10+deb9u2.debian.tar.xz
 a17e64964ba0d7882ae4238869ce8ea601736ca7 14817 openssh_7.4p1-10+deb9u2_source.buildinfo
Checksums-Sha256:
 450e7daae7dd4e354e80c1d2ea9228e744950ffebce51d0d75fe937be7f54301 2924 openssh_7.4p1-10+deb9u2.dsc
 023c2277db76405b85262e05255cd9782b5634dbd861e4ea455872a6da195abe 162256 openssh_7.4p1-10+deb9u2.debian.tar.xz
 b328e90f47bd122b83fb21bb98ec369db4394de02008ad9349da3e0b1b85d613 14817 openssh_7.4p1-10+deb9u2_source.buildinfo
Files:
 f9a6ea5b78288b85aaeb88973e14a642 2924 net standard openssh_7.4p1-10+deb9u2.dsc
 deab53428f04ccc029e69ccdb8e3e208 162256 net standard openssh_7.4p1-10+deb9u2.debian.tar.xz
 94443afcdfd7369ec9bb8e49584963ae 14817 net standard openssh_7.4p1-10+deb9u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAloP/80ACgkQOTWH2X2G
UAs6zA/+Nk5oU8m40tIwQqV0aqc3KUbz1tcU3AUvUeLLS0MuMBwnsbPYMeWscUIo
nlPQo6cmt68G90t5owij2FuLDMwR0Osvv7ZaFouyF3HVEkRlRrSBRv1erkY/g8D1
J4p9VHZozsGcDXSbliqcU9Py7Q4ARISNs8/JOTEyoseUGQWONZvYZhLsVMnaRI0d
GO5/CJ+EBm8CdI1ewjqb+ZXnzkXNFWB02+2Q7tvY5BcjASfnzOhZgnX6dZ/tID+C
KsNGRdVBLGAIupVMrHWRi56ywATZa2BSX1KdLI03GmbJ4TZXXX76NK4jk0SIxamB
wZt2bb4SROlj5rWb4ZvjfnNsUPOWsoJeneh8aUYclVmHJi/pTR1OPJIo1FCU2LPM
54sXTD9Xw9mfGtkiAwjdY8zKqt0ciDqS7RaQWnzVFT/Zd/O/CFcP7Fb+N6V9DbBx
bRs9i2GmYQm2ab6umwKPk2/t0OBPt4INANoCsfHTWiRLvZb2DwGTAMPq3MXtDbzk
3yrDsCpwk/13T9PX+uP714NuttTccdI7WhF6G9/dVnV3Y22TkU+VFXkawceZLqI1
/fIGGQsASe/R0cuWxjlQFi4u+kiq0M9uqbmwYM9il8Fg7dX/CIen898JNOmdaG28
ErKAOWMt1NgX9yRbXBi8Ftp6KSPsZXOF9+fju99zYTUTlE4pzu8=
=Y5rU
-----END PGP SIGNATURE-----

--- End Message ---