Bug#942100: openssh-server: /etc/ssh/sshd_config unconditionally overwritten by update
This hit me this weekend, courtesy of the Debian 12.1 to 12.2 point upgrade.
That upgraded openssh-server from 1:9.2p1-2 to 1:9.2p1-2+deb12u1.
I had made some changes to /etc/ssh/sshd_config in March 2018 (Debian 9.4), one of which moved the default port to 2222. This was to make port 22 available for use by a Docker-based GitLab instance.
I have been following point upgrades since then through 9.13, jumped to 10.6, point upgrades through 10.11, jumped to 11.2, point upgrades through 11.7. All without making any manual changes to sshd_config.
I integrated upstream sshd_config changes when I manually upgraded the host to Debian 12.1 (from 11.7) in August 2023. At that time I did not move my customizations to use the new /etc/ssh/sshd_config.d/* support.
The point upgrade was performed by unattended-upgrades on 2023-10-08 and the machine was automatically rebooted on 2023-10-09. The SSH daemon was started first, preventing the GitLab instance from starting. Seeing that, I tried to login remotely via port 2222 and got a connection refused. Yikes!
Fortunately, the logcheck reports in my mailbox pointed out the GitLab could not bind to port 22, giving me a clue that I could probably SSH in on that port. Fortunately that worked and I was able to get things back to working order via that remote login.
I have not been able to find any notice of this in the Debian 12 release notes or the /usr/share/doc/openssh-server/{NEWS,README}.Debian.gz files and was therefore very unpleasantly surprised by this behavior.
FWIW, my /var/cache/debconf/config.dat contains
Name: openssh-server/password-authentication
Template: openssh-server/password-authentication
Value: false
Owners: openssh-server
Name: openssh-server/permit-root-login
Template: openssh-server/permit-root-login
Value: true
Owners: openssh-server
but I manually edited sshd_config to use
PermitRootLogin no
as well as
Port 22
Cross-checking with /var/cache/debconf/templates.dat, it appears I used dpkg-reconfigure to change password-authentication to end up with
PasswordAuthentication no
in my sshd_config.
The openssh-server.postinst appears to be responsible for "clobbering" my customizations (via ucf) but I don't see any differences to that file between the old and new versions, making me wonder why this hasn't hit me before.
I'll be syncing the openssh-server debconf answers with what I have in my sshd_config and move out any other customizations to /etc/ssh/sshd_config.d/* snippets but thought this might be of use to others.
Reply to: