Bug#998834: Multiple subsystem options in sshd_config prevent sshd from starting

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#998834: Multiple subsystem options in sshd_config prevent sshd from starting
From: Marcus Frings <marcus.frings@oc.rwth-aachen.de>
Date: Mon, 8 Nov 2021 13:08:02 +0100
Message-id: <[🔎] 163637328205.8168.2257992369323746525.reportbug@black-ice.oc.rwth-aachen.de>
Reply-to: Marcus Frings <marcus.frings@oc.rwth-aachen.de>, 998834@bugs.debian.org

Package: openssh-server
Version: 1:8.7p1-1
Severity: important

Dear maintainers,

In /etc/ssh/sshd_config the option

  "Subsystem sftp /usr/lib/openssh/sftp-server"

is active by default.

"man 5 sshd_config" states:

  "/etc/ssh/sshd_config.d/*.conf files are included at the start of the
  configuration file, so options set there will override those in
  /etc/ssh/sshd_config."

However, after adding

  "Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO"

to /etc/ssh/sshd_config.d/10-marcus-sshd-config.conf, the ssh server fails
to start.

Hence, my attempt to leave the original sshd_config untouched and move
all my manually modified settings to a file parsed via the include
directive results in a broken ssh server.

Running "sshd -T" tells:

  /etc/ssh/sshd_config line 116: Subsystem 'sftp' already defined.

This undocumented behaviour contradicts the statement of the man page cited
above. I could not find any Debian bug report in the openssh-* packages
regarding this issue (please forgive me if I missed it).

In the end I dropped my new approach of using
/etc/ssh/sshd_config.d/*.conf and went back to a manually modified
/etc/ssh/sshd_config, until this issue is solved.

By the way, after a brief search on the error message I found the same
problem reported there as well:

https://bugzilla.mindrot.org/show_bug.cgi?id=3236

(Thus, I used the same subject line as in the cited bug report.)

Best regards,
Marcus

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.14.0-3-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.79
ii  dpkg                   1.20.9
ii  libaudit1              1:3.0.6-1
ii  libc6                  2.32-4
ii  libcom-err2            1.46.4-1
ii  libcrypt1              1:4.4.25-2
ii  libgssapi-krb5-2       1.18.3-7
ii  libkrb5-3              1.18.3-7
ii  libpam-modules         1.4.0-10
ii  libpam-runtime         1.4.0-10
ii  libpam0g               1.4.0-10
ii  libselinux1            3.1-3+b1
ii  libssl1.1              1.1.1l-1
ii  libsystemd0            249.5-2
ii  libwrap0               7.6.q-31
ii  lsb-base               11.1.0
ii  openssh-client         1:8.7p1-1
ii  openssh-sftp-server    1:8.7p1-1
ii  procps                 2:3.3.17-5
ii  runit-helper           2.10.3
ii  ucf                    3.0043
ii  zlib1g                 1:1.2.11.dfsg-2

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  249.5-2
pn  ncurses-term             <none>
ii  xauth                    1:1.1-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information excluded

Reply to:

Prev by Date: Bug#998619: Assunto: Re: Bug#998619: openssh-server: server-sig-algs
Next by Date: Bug#999593: ssh: segfaults when using -Y find-principals
Previous by thread: Bug#997035: marked as done (openssh: Please build-depend on libsystemd-dev | libelogind-dev)
Next by thread: Bug#999593: ssh: segfaults when using -Y find-principals
Index(es):
- Date
- Thread