[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#994001: openssh-server: Almost locked out due #990456

On Thu, Sep 09, 2021 at 11:08:05AM -0400, Aristeu Rozanski wrote:
> Jokes aside, I had 'ssh' group defined for a good while as to be used as
> group of people allowed to ssh in the machine (AllowGroup, root login is
> disabled) and a recent upgrade, probably due #990456, that group got renamed
> as '_ssh' and I wasn't able to login anymore. Thankfully I had a session open
> since before the change and was able to figure out what was going on.
> 
> Please change the upgrade script to check if the group ssh already contains
> users before doing the change.

We can add some kind of check that would fail the installation in this
situation, but please migrate to using some other site-specific group
for this ASAP.  The ssh/_ssh group is an internal implementation detail
used only to ensure that private key material cannot be extracted from
running ssh-agent processes using ptrace(2); it's not intended to have
users added to it.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]
Reply to: