--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh-server fails to validate configuration before reloading, under systemd
- From: Keller Fuchs <kellerfuchs@hashbang.sh>
- Date: Sat, 24 Jun 2017 16:51:21 +0000
- Message-id: <20170624165121.6678.96086.reportbug@to1.hashbang.sh>
Package: openssh-server
Version: 1:6.7p1-5+deb8u3
Severity: important
Tags: patch jessie stretch sid
Dear maintainers,
The systemd units shipped as part of jessie, stretch and sid do not validate
the sshd_config file before proceeding with reloading or restarting the deamon.
(Note that reloading when the file contains invalid config makes sshd exit.)
As far as I can tell, the old initscripts have the correct behaviour,
so this is a systemd-specific regression.
Please find included a patch that makes `systemctl reload ssh` fail properly
when the configuration is invalid.
Unfortunately, systemd does not support validating configuration before
restarting a service, though an issue has been open for over 1.5 years:
https://github.com/systemd/systemd/issues/2175
Given the severity of the issue (indeed, this can easily result in accidental
loss of administrative access, making the error quite difficult to fix),
please consider shipping the patch in the next point-release.
This was one of the causes of an outage at hashbang.sh, resulting in loss of
SSH access for all users and administrators.
Regards,
kf
-- System Information:
Debian Release: 8.8
APT prefers oldstable
APT policy: (900, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-0.bpo.3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.56
ii dpkg 1.17.27
ii init-system-helpers 1.22
ii libc6 2.19-18+deb8u10
ii libcomerr2 1.42.12-2+b1
ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2
ii libkrb5-3 1.12.1+dfsg-19+deb8u2
ii libpam-modules 1.1.8-3.1+deb8u2
ii libpam-runtime 1.1.8-3.1+deb8u2
ii libpam0g 1.1.8-3.1+deb8u2
ii libselinux1 2.3-2
ii libssl1.0.0 1.0.1t-1+deb8u6
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian13+nmu1
ii openssh-client 1:6.7p1-5+deb8u3
ii openssh-sftp-server 1:6.7p1-5+deb8u3
ii procps 2:3.3.9-9
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages openssh-server recommends:
ii ncurses-term 6.0+20160625-1
ii xauth 1:1.0.9-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- Configuration Files:
/etc/pam.d/sshd changed:
@include common-auth
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so dir=~/Mail standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-password
-- debconf information excluded
diff --git i/debian/systemd/ssh.service w/debian/systemd/ssh.service
index 3df8c64..7351931 100644
--- i/debian/systemd/ssh.service
+++ w/debian/systemd/ssh.service
@@ -6,7 +6,7 @@ ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
-ExecReload=/bin/kill -HUP $MAINPID
+ExecReload=/bin/sh -c '/usr/sbin/sshd -t && /bin/kill -HUP $MAINPID'
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:6.7p1-5+deb8u4
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 865770@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 18 Nov 2017 10:56:29 +0000
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source amd64 all
Version: 1:6.7p1-5+deb8u4
Distribution: jessie
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 865770 873201
Changes:
openssh (1:6.7p1-5+deb8u4) jessie; urgency=medium
.
* Test configuration before starting or reloading sshd under systemd
(closes: #865770).
* Make "--" before the hostname terminate argument processing after the
hostname too (closes: #873201).
Checksums-Sha1:
d0d499b91f65e4782c4664023ddfb135e1b2e028 2723 openssh_6.7p1-5+deb8u4.dsc
70b6eafed91f78009d04d5b5390579d79fdaa998 151584 openssh_6.7p1-5+deb8u4.debian.tar.xz
1d77925fa662f5d25eac37055b439fa65540eae5 692514 openssh-client_6.7p1-5+deb8u4_amd64.deb
23a4092e567f89af42ba1e9aaebae4f1d410b947 331344 openssh-server_6.7p1-5+deb8u4_amd64.deb
f26905cd1d45df17bd1b88d7ff74339a5c2b9cab 37914 openssh-sftp-server_6.7p1-5+deb8u4_amd64.deb
6064c857d7b9a35bb3dc65e47147a1a754520891 119974 ssh_6.7p1-5+deb8u4_all.deb
d5be9faefeee34c3bfeae838578c23e4de207c8f 119506 ssh-krb5_6.7p1-5+deb8u4_all.deb
bc122485f886b3da155b5aeace7a44453c3e0eea 127604 ssh-askpass-gnome_6.7p1-5+deb8u4_amd64.deb
e1044dffcfc934ea4654e197b51283d659ac1e61 258754 openssh-client-udeb_6.7p1-5+deb8u4_amd64.udeb
2a31820af9544a419fba6ead213f6ce23ea40654 284912 openssh-server-udeb_6.7p1-5+deb8u4_amd64.udeb
Checksums-Sha256:
4b71d7eb2291c096173e701113a3c56cbcc23e9a13d3ddec539518fa4a25dd8d 2723 openssh_6.7p1-5+deb8u4.dsc
2523942c9a8472331a47ce8b34c9433fbea381bae8940821e3b378767a3c33f9 151584 openssh_6.7p1-5+deb8u4.debian.tar.xz
c45c56351f304858c08d4c3ffa9f816f3f1731248b555ece2a40c52c57d6f4fb 692514 openssh-client_6.7p1-5+deb8u4_amd64.deb
abf7c445c5ec4e58ea2e6528dd62dcefbae4cc609075dcf2c34e3e5e304536ff 331344 openssh-server_6.7p1-5+deb8u4_amd64.deb
69fe2b1c5e2867d66d4ed95b45e93528c95c9e7481b6bb5c609ae83a397bfed3 37914 openssh-sftp-server_6.7p1-5+deb8u4_amd64.deb
6fcd4decb6fc4a4dd8f819d395d60444d2c0a29324d6865621671c2942247a4e 119974 ssh_6.7p1-5+deb8u4_all.deb
68760de7bd8d15fc4f77833a1ac3cc21984c29764deb3551f1fdced2596402d4 119506 ssh-krb5_6.7p1-5+deb8u4_all.deb
cbdd81a680efe87a44e0c62326f3ec8c33fb720544d25e31acff5c44a6736fb3 127604 ssh-askpass-gnome_6.7p1-5+deb8u4_amd64.deb
3c4eb402b84c66ecf95aa27695f671292e645d37964a5a75bdb039853437efcd 258754 openssh-client-udeb_6.7p1-5+deb8u4_amd64.udeb
1d512782abafd68adcc8cd4b185adecc03b0fec81c870c357ebd116c408b0228 284912 openssh-server-udeb_6.7p1-5+deb8u4_amd64.udeb
Files:
9343c85cdcd21d6124575cdf8b0c0937 2723 net standard openssh_6.7p1-5+deb8u4.dsc
c94a4f2cf4698223bbaafb5525a898c1 151584 net standard openssh_6.7p1-5+deb8u4.debian.tar.xz
14e5e89655c03ed51a690aa2151f4f57 692514 net standard openssh-client_6.7p1-5+deb8u4_amd64.deb
5c9fc8c2f002582c59a2588e41d3b528 331344 net optional openssh-server_6.7p1-5+deb8u4_amd64.deb
642eef8901b30dae57181940d73ea05b 37914 net optional openssh-sftp-server_6.7p1-5+deb8u4_amd64.deb
58fa7b34c67104dd7d63745d97c03b25 119974 net extra ssh_6.7p1-5+deb8u4_all.deb
62906c0f0f282ea7e6f87e13a42660c3 119506 oldlibs extra ssh-krb5_6.7p1-5+deb8u4_all.deb
c5280fcec263d444bda7db44d6c3f173 127604 gnome optional ssh-askpass-gnome_6.7p1-5+deb8u4_amd64.deb
ca805ef17e6caa689a220f4f38f6c703 258754 debian-installer optional openssh-client-udeb_6.7p1-5+deb8u4_amd64.udeb
6521d6d9e623a91de192e48227fcc9e1 284912 debian-installer optional openssh-server-udeb_6.7p1-5+deb8u4_amd64.udeb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAloRabIACgkQOTWH2X2G
UAtkJxAAoC6wo/fSuOhwyPwYOiv008BbW5O8YjwEaWZLNbKKE8PpTFvca3XaCGYw
Nt/f5qKFPy+PBm1oj77kGVoIi0rnvruetGr25v7FdiU8EDaZIEnmdBYHpL9YSpR3
fRDULIJMrqhlGLNyMlTPp33LyghsClDJNSebej3EBPSc3RdVBTTdlfGeYrUOmeFL
LbW0P3VhCHxURSbKkcf37xPSl4u4b1IfqjdlTeO4cpOO+KP+pQMBte79NYnQ4ktD
tyscVF8yHPBxxxKMdMZRaBuKkJkD9OwixfRNbzM058IXPr29EvQOia1pIUpRsX5m
uI9XuaWvLfuqY6olnRuS80vD9F8V003bvKvHRxVTwddWxW1IoGRcx4aspYt5jX4w
B8ixe3/oGrnXvgIEFEZUcVg4q0N3Zuj+p8NM7Dg1bYq07QjGjuxrI8mQJshWBmAw
BiwxmY+QpgqbNpmOIbYpiVM6XOml13cpHVHl38gItmJg3nOE+9Jvjr9BCjFfvvcf
OXXfDd//afClG3wCXB9nxin8lznx9Eofn4KTkUGM6ccQXJ8Ab+hpJIcOQgGIVreb
tJ/nfNh/T6CDjWa+NA+5fD4mHVMn3fhVr6N9BcAjDVUr9g+TQxCqz/8oi43q4RpQ
phCGG1gPZIdDImixnZ8YVE9IQlh94r8pPe6q8tMr4vmuQPmJ3V0=
=JNmc
-----END PGP SIGNATURE-----
--- End Message ---