Bug#994001: openssh-server: Almost locked out due #990456

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#994001: openssh-server: Almost locked out due #990456
From: Aristeu Rozanski <aris@ruivo.org>
Date: Thu, 09 Sep 2021 11:08:05 -0400
Message-id: <[🔎] 163120008526.156652.4472716217819163004.reportbug@tate.lan.ruivo>
Reply-to: Aristeu Rozanski <aris@ruivo.org>, 994001@bugs.debian.org

Package: openssh-server
Version: 1:8.4p1-6
Severity: important

Dear Maintainer,

I have a user named Rufus Obrien O'Rourke and he can't use the defined
username (according to our rules) 'root' but it already comes defined when
I install the system. Please rename them to something like '_root' please.

Jokes aside, I had 'ssh' group defined for a good while as to be used as
group of people allowed to ssh in the machine (AllowGroup, root login is
disabled) and a recent upgrade, probably due #990456, that group got renamed
as '_ssh' and I wasn't able to login anymore. Thankfully I had a session open
since before the change and was able to figure out what was going on.

Please change the upgrade script to check if the group ssh already contains
users before doing the change.

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.77
ii  dpkg                   1.20.9
ii  libaudit1              1:3.0.5-1
ii  libc6                  2.31-17
ii  libcom-err2            1.46.4-1
ii  libcrypt1              1:4.4.25-2
ii  libgssapi-krb5-2       1.18.3-7
ii  libkrb5-3              1.18.3-7
ii  libpam-modules         1.4.0-10
ii  libpam-runtime         1.4.0-10
ii  libpam0g               1.4.0-10
ii  libselinux1            3.1-3
ii  libssl1.1              1.1.1l-1
ii  libsystemd0            247.9-1
ii  libwrap0               7.6.q-31
ii  lsb-base               11.1.0
ii  openssh-client         1:8.4p1-6
ii  openssh-sftp-server    1:8.4p1-6
ii  procps                 2:3.3.17-5
ii  runit-helper           2.10.3
ii  ucf                    3.0043
ii  zlib1g                 1:1.2.11.dfsg-2

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  247.9-1
ii  ncurses-term             6.2+20201114-4
ii  xauth                    1:1.1-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
ii  ssh-askpass   1:1.2.4.1-13+b1
pn  ufw           <none>

-- Configuration Files:
/etc/pam.d/sshd changed [not included]

-- debconf information excluded

Reply to:

Follow-Ups:
- Bug#994001: openssh-server: Almost locked out due #990456
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#990456: almost locked me out of my server
Next by Date: Bug#994001: openssh-server: Almost locked out due #990456
Previous by thread: Bug#990456: almost locked me out of my server
Next by thread: Bug#994001: openssh-server: Almost locked out due #990456
Index(es):
- Date
- Thread