--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh-server fails to validate configuration before reloading, under systemd
- From: Keller Fuchs <kellerfuchs@hashbang.sh>
- Date: Sat, 24 Jun 2017 16:51:21 +0000
- Message-id: <20170624165121.6678.96086.reportbug@to1.hashbang.sh>
Package: openssh-server
Version: 1:6.7p1-5+deb8u3
Severity: important
Tags: patch jessie stretch sid
Dear maintainers,
The systemd units shipped as part of jessie, stretch and sid do not validate
the sshd_config file before proceeding with reloading or restarting the deamon.
(Note that reloading when the file contains invalid config makes sshd exit.)
As far as I can tell, the old initscripts have the correct behaviour,
so this is a systemd-specific regression.
Please find included a patch that makes `systemctl reload ssh` fail properly
when the configuration is invalid.
Unfortunately, systemd does not support validating configuration before
restarting a service, though an issue has been open for over 1.5 years:
https://github.com/systemd/systemd/issues/2175
Given the severity of the issue (indeed, this can easily result in accidental
loss of administrative access, making the error quite difficult to fix),
please consider shipping the patch in the next point-release.
This was one of the causes of an outage at hashbang.sh, resulting in loss of
SSH access for all users and administrators.
Regards,
kf
-- System Information:
Debian Release: 8.8
APT prefers oldstable
APT policy: (900, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-0.bpo.3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.56
ii dpkg 1.17.27
ii init-system-helpers 1.22
ii libc6 2.19-18+deb8u10
ii libcomerr2 1.42.12-2+b1
ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2
ii libkrb5-3 1.12.1+dfsg-19+deb8u2
ii libpam-modules 1.1.8-3.1+deb8u2
ii libpam-runtime 1.1.8-3.1+deb8u2
ii libpam0g 1.1.8-3.1+deb8u2
ii libselinux1 2.3-2
ii libssl1.0.0 1.0.1t-1+deb8u6
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian13+nmu1
ii openssh-client 1:6.7p1-5+deb8u3
ii openssh-sftp-server 1:6.7p1-5+deb8u3
ii procps 2:3.3.9-9
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages openssh-server recommends:
ii ncurses-term 6.0+20160625-1
ii xauth 1:1.0.9-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- Configuration Files:
/etc/pam.d/sshd changed:
@include common-auth
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so dir=~/Mail standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-password
-- debconf information excluded
diff --git i/debian/systemd/ssh.service w/debian/systemd/ssh.service
index 3df8c64..7351931 100644
--- i/debian/systemd/ssh.service
+++ w/debian/systemd/ssh.service
@@ -6,7 +6,7 @@ ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
-ExecReload=/bin/kill -HUP $MAINPID
+ExecReload=/bin/sh -c '/usr/sbin/sshd -t && /bin/kill -HUP $MAINPID'
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:7.5p1-6
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 865770@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 23 Aug 2017 01:41:06 +0100
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.5p1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 864190 865770 872643 872851
Changes:
openssh (1:7.5p1-6) unstable; urgency=medium
.
[ Colin Watson ]
* Test configuration before starting or reloading sshd under systemd
(closes: #865770).
* Create /run/sshd under systemd using RuntimeDirectory rather than
tmpfiles.d (thanks, Dmitry Smirnov; closes: #864190).
.
[ Dimitri John Ledkov ]
* Drop upstart system and user jobs (closes: #872851).
.
[ Chris Lamb ]
* Quote IP address in suggested "ssh-keygen -f" calls (closes: #872643).
Checksums-Sha1:
6ea96b2b3987145f766ab585b3aebc5e2efb233c 2892 openssh_7.5p1-6.dsc
8fbcb67cda70007785de2a9d1cba513dece03fdc 157968 openssh_7.5p1-6.debian.tar.xz
b42972d6255ff7a4b2fc52a7cdb739ea1eedab02 13545 openssh_7.5p1-6_source.buildinfo
Checksums-Sha256:
463f8e7dc1f012abd7b3264645991cd639e51f048e5c8e160969474017d2cd0f 2892 openssh_7.5p1-6.dsc
6fa0418d8110b3527d217c9eaf6fbd1ef1c27e2bdbf58f057ebea5329781e6a9 157968 openssh_7.5p1-6.debian.tar.xz
fd958956b8a38e555bfddb78891c9dcc21c04aba65a1f05e4976f140ec3120ae 13545 openssh_7.5p1-6_source.buildinfo
Files:
4ba3c100b673e5ea7026655a594b476c 2892 net standard openssh_7.5p1-6.dsc
19d714e835ea30de3664eff3e6dd03f8 157968 net standard openssh_7.5p1-6.debian.tar.xz
cb7b9d8d6897999e84ae860fc85a3484 13545 net standard openssh_7.5p1-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlmczz4ACgkQOTWH2X2G
UAvcLhAAkWt96N/RFRPW90woLT9PQsFzBTR+55IVgTo/1AJMEkgiZPteTARYz5/H
4HI/RW5E1TKNSIrola74d+tXhet/3ESgCxyKw1tOwExb8m/d/Sh1MFyokS/fT/o6
GNlCg5m0N4gkTNvlw8FrrQJD9096UKSN7/pZSxHQRWrobGSbJ67qi5t4LxnCYwQO
qPyL/WdkyoiBR4CC+FOoR+27wZ4HTyNrq63diqCf2s634mpGzdVbrfHQfg+UtfKg
+gjnFtJ+U9qwu/hTRy2egI+IuvENpqTWHdyGcWrOhIt0wxn1xJMw4ebUawT36zcs
VVPXmoV5hyv/qShcuQMFPQ7vWBFC91DTWzC1AMyUOvx6VV5zXMuvm76694eR84eW
UxAwx8ZbTw5L8iRj7g0BHp8LvouR06miZ4GSLKrYIxa4BeEuZ5RDmX2DSx8/OMxY
tSMcMkRdKJrWO53dhAZ6ly/I8xE95dv+Y+xVY6npVsxeTSea4nhPihI4aWDmv8/q
sfzlClJOfVio25qqU2UaMuIzy8gi1fiPCZgKyvUFM26hfz5WX1YOj/h6wS6iA8GA
aAky0oypxynIxSgID7jSLBR0N77ep3REFP54xLr0MTpxe39I5LtsMgO7Di1hd+jE
tsqVEtdA3cZ+oOIB1tLklLpfwR5YvH1q0G8ke6zHo34rBS6GvFo=
=4tCe
-----END PGP SIGNATURE-----
--- End Message ---