Bug#994001: openssh-server: Almost locked out due #990456
On Thu, Sep 09, 2021 at 11:08:05AM -0400, Aristeu Rozanski wrote:
> Jokes aside, I had 'ssh' group defined for a good while as to be used as
> group of people allowed to ssh in the machine (AllowGroup, root login is
> disabled) and a recent upgrade, probably due #990456, that group got renamed
> as '_ssh' and I wasn't able to login anymore. Thankfully I had a session open
> since before the change and was able to figure out what was going on.
>
> Please change the upgrade script to check if the group ssh already contains
> users before doing the change.
We can add some kind of check that would fail the installation in this
situation, but please migrate to using some other site-specific group
for this ASAP. The ssh/_ssh group is an internal implementation detail
used only to ensure that private key material cannot be extracted from
running ssh-agent processes using ptrace(2); it's not intended to have
users added to it.
--
Colin Watson (he/him) [cjwatson@debian.org]
Reply to: