Bug#942100: openssh-server: /etc/ssh/sshd_config unconditionally overwritten by update
Package: openssh-server
Version: 1:7.9p1-10+deb10u1
Severity: important
Hi,
this just bit me on current stable (Buster) while updating from the
security repo:
The following packages will be upgraded:
openssh-client (1:7.9p1-10 => 1:7.9p1-10+deb10u1)
openssh-server (1:7.9p1-10 => 1:7.9p1-10+deb10u1)
openssh-sftp-server (1:7.9p1-10 => 1:7.9p1-10+deb10u1)
3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 1.178 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://security.debian.org/debian-security buster/updates/main amd64
openssh-sftp-server amd64 1:7.9p1-10+deb10u1 [44,6 kB]
Get:2 http://security.debian.org/debian-security buster/updates/main amd64
openssh-server amd64 1:7.9p1-10+deb10u1 [352 kB]
Get:3 http://security.debian.org/debian-security buster/updates/main amd64
openssh-client amd64 1:7.9p1-10+deb10u1 [782 kB]
Fetched 1.178 kB in 0s (4.945 kB/s)
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 498927 files and directories currently installed.)
Preparing to unpack .../openssh-sftp-server_1%3a7.9p1-10+deb10u1_amd64.deb ...
Unpacking openssh-sftp-server (1:7.9p1-10+deb10u1) over (1:7.9p1-10) ...
Preparing to unpack .../openssh-server_1%3a7.9p1-10+deb10u1_amd64.deb ...
Unpacking openssh-server (1:7.9p1-10+deb10u1) over (1:7.9p1-10) ...
Preparing to unpack .../openssh-client_1%3a7.9p1-10+deb10u1_amd64.deb ...
Unpacking openssh-client (1:7.9p1-10+deb10u1) over (1:7.9p1-10) ...
Setting up openssh-client (1:7.9p1-10+deb10u1) ...
Setting up openssh-sftp-server (1:7.9p1-10+deb10u1) ...
Setting up openssh-server (1:7.9p1-10+deb10u1) ...
Replacing config file /etc/ssh/sshd_config with new version
rescue-ssh.target is a disabled or a static unit, not starting it.
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for systemd (241-7~deb10u1) ...
The important line is the forth from the bottom.
Since I have changed the port of SSHD this makes it impossible to
open new connections afterwards. I can't believe that making computers
secure by essentially disconnecting their admins is the desired behavior
of this package (update). Arguably, changing the port back to its default
(as in my case) might even increase security risks. ;)
AFAIK there is no way to override the settings from the standard
config file (by files in a *.d directory as requested in other bug
reports). If there is no other (well-documented) workaround I strongly
consider this behavior a bug.
-- System Information:
Debian Release: 10.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (91, 'testing'), (10, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-server depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii dpkg 1.19.7
ii libaudit1 1:2.8.4-3
ii libc6 2.28-10
ii libcom-err2 1.44.5-1+deb10u2
ii libgssapi-krb5-2 1.17-3
ii libkrb5-3 1.17-3
ii libpam-modules 1.3.1-5
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
ii libselinux1 2.8-1+b1
ii libssl1.1 1.1.1d-0+deb10u1
ii libsystemd0 241-7~deb10u1
ii libwrap0 7.6.q-28
ii lsb-base 10.2019051400
ii openssh-client 1:7.9p1-10+deb10u1
ii openssh-sftp-server 1:7.9p1-10+deb10u1
ii procps 2:3.3.15-2
ii ucf 3.0038+nmu1
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 241-7~deb10u1
ii ncurses-term 6.1+20181013-2+deb10u1
ii xauth 1:1.0.10-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information excluded
Reply to: