[Bug 1876320] Re: Port parameter sshd_config is 22 AND whatever you specify

Christian Ehrhardt  1876320 at bugs.launchpad.net
Wed Jun 17 11:41:31 UTC 2020 

Retest as-is:

root at f:~# dpkg -l openssh-server
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================================================
ii  openssh-server 1:8.2p1-4    amd64        secure shell (SSH) server, for secure access from remote machines
root at f:~# systemctl stop ssh
root at f:~# mv /etc/ssh/sshd_config /etc/ssh/something_else
root at f:~# cat > /etc/ssh/sshd_config <<EOF
> Include /etc/ssh/something_else
> Port 7722
> EOF
root at f:~# systemctl start ssh
root at f:~# systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-06-17 11:23:58 UTC; 4s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 60797 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 60798 (sshd)
      Tasks: 1 (limit: 38269)
     Memory: 2.6M
     CGroup: /system.slice/ssh.service
             └─60798 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

Jun 17 11:23:58 f systemd[1]: Starting OpenBSD Secure Shell server...
Jun 17 11:23:58 f sshd[60798]: Server listening on 0.0.0.0 port 7722.
Jun 17 11:23:58 f sshd[60798]: Server listening on :: port 7722.
Jun 17 11:23:58 f systemd[1]: Started OpenBSD Secure Shell server.
Jun 17 11:23:58 f sshd[60798]: Server listening on 0.0.0.0 port 22.
Jun 17 11:23:58 f sshd[60798]: Server listening on :: port 22.

Confirmed.

Installing from proposed:
root at f:~# apt install openssh-server
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  openssh-client openssh-sftp-server
Suggested packages:
  keychain libpam-ssh monkeysphere ssh-askpass molly-guard
The following packages will be upgraded:
  openssh-client openssh-server openssh-sftp-server
3 upgraded, 0 newly installed, 0 to remove and 38 not upgraded.
Need to get 1101 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 openssh-sftp-server amd64 1:8.2p1-4ubuntu0.1 [51.5 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 openssh-server amd64 1:8.2p1-4ubuntu0.1 [377 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 openssh-client amd64 1:8.2p1-4ubuntu0.1 [672 kB]
Fetched 1101 kB in 0s (2445 kB/s)      
Preconfiguring packages ...
(Reading database ... 55167 files and directories currently installed.)
Preparing to unpack .../openssh-sftp-server_1%3a8.2p1-4ubuntu0.1_amd64.deb ...
Unpacking openssh-sftp-server (1:8.2p1-4ubuntu0.1) over (1:8.2p1-4) ...
Preparing to unpack .../openssh-server_1%3a8.2p1-4ubuntu0.1_amd64.deb ...
Unpacking openssh-server (1:8.2p1-4ubuntu0.1) over (1:8.2p1-4) ...
Preparing to unpack .../openssh-client_1%3a8.2p1-4ubuntu0.1_amd64.deb ...
Unpacking openssh-client (1:8.2p1-4ubuntu0.1) over (1:8.2p1-4) ...
Setting up openssh-client (1:8.2p1-4ubuntu0.1) ...
Setting up openssh-sftp-server (1:8.2p1-4ubuntu0.1) ...
Setting up openssh-server (1:8.2p1-4ubuntu0.1) ...
rescue-ssh.target is a disabled or a static unit, not starting it.
Processing triggers for systemd (245.4-4ubuntu3.1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for ufw (0.36-6) ...

Correctly picks up just the right port now

root at f:~# systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-06-17 11:37:33 UTC; 25s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 65295 (sshd)
      Tasks: 1 (limit: 38269)
     Memory: 1.6M
     CGroup: /system.slice/ssh.service
             └─65295 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

Jun 17 11:37:33 f systemd[1]: Starting OpenBSD Secure Shell server...
Jun 17 11:37:33 f sshd[65295]: Server listening on 0.0.0.0 port 7722.
Jun 17 11:37:33 f sshd[65295]: Server listening on :: port 7722.
Jun 17 11:37:33 f systemd[1]: Started OpenBSD Secure Shell server.

Nothing on an unconfigured port left:

root at f:~# ss -tl | grep -e '22 '
LISTEN  0       128              0.0.0.0:7722            0.0.0.0:*              
LISTEN  0       128                 [::]:7722               [::]:*  

** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1876320

Title:
  Port parameter sshd_config is 22 AND whatever you specify

Status in portable OpenSSH:
  Unknown
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Focal:
  Fix Committed
Status in openssh package in Debian:
  Fix Released

Bug description:
  [Impact]

   * The "Port" option in sshd_config is accumulative, but due to a bug re-
     adds the default when an include is encountered. Therefore we have these 
     cases
     a) Port 722
        Listens on 722 (correct)
     b) Port 722
        Port 2222
        Listens on 722 & 2222 (correct)
     c) Port 722
        include /path/to/otherconfig
        Listens on 722 & 22 (applied defaults as if Port was unset)

   * Of the above (c) is a bug, not documented that way and can lead to open 
     ports not expected and not wanted.

  [Test Case]

  * Test if defaults are applied even if option is specified

  Rename sshd_config to something_else and replace sshd_config with two
  lines to include the original config (now called something_else) and
  set the Port to 7722:

  systemctl stop ssh
  mv /etc/ssh/sshd_config /etc/ssh/something_else
  cat > /etc/ssh/sshd_config <<EOF
  Include /etc/ssh/something_else
  Port 7722
  EOF
  systemctl start ssh
  systemctl status ssh
  # restore the original config:
  mv /etc/ssh/something_else /etc/ssh/sshd_config

  Which will show:

  ● ssh.service - OpenBSD Secure Shell server
       Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
       Active: active (running) since Sat 2020-05-02 15:31:37 UTC; 13s ago
         Docs: man:sshd(8)
               man:sshd_config(5)
      Process: 45261 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
     Main PID: 45271 (sshd)
        Tasks: 1 (limit: 18457)
       Memory: 1.3M
       CGroup: /system.slice/ssh.service
               └─45271 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

  May 02 15:31:37 cabernet systemd[1]: Starting OpenBSD Secure Shell server...
  May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 7722.
  May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 7722.
  May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 22.
  May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 22.
  May 02 15:31:37 cabernet systemd[1]: Started OpenBSD Secure Shell server.

  So, NOW it will have ports 22 AND 7722 open!
  With the fix this should no more happen.

  * Test if multiple options still work

  [Regression Potential]

   * The change itself isn't very invasive and I don't expect it to break it 
     with crashes or similar. 
     But if people didn't realize that this is a bug, they might have a 
     config in place and somewhat rely on the broken behavior.
     It is good thou that (a) (b) of above are the common cases and won't 
     change.
     Further even if a user used (c) the explicitly configured port will 
     still work.
     Fortunately it is early in the Focal lifetime and it was the one 
     introducting the 'include' feature - therefore I'd expect not too many 
     people using it yet.

  [Other Info]
   
   * n/a


  
  ----

  On my Ubuntu Server 20.04 LTS with OpenSSH 1:8.2p1-4, I have TWO sshd
  deamons. One (on port 22) is for internal use, accepts passwords etc.
  The second (on port 7722) does not allow PAM use and no passwords,
  allows only one user(name) and uses an alternative autorized_keys file
  (that only root can edit).

  Any parameter FIRST encountered in sshd_config is the one that is
  accepted; others do not override (like in many other config files).
  There is one exception: 'Port', which is accumulative. To make life
  easier, I set the more restrictive parameters for port 7722 first and
  next include the system-default /etc/ssh/sshd_config.

  The /etc/ssh/sshd_config file(s) in Ubuntu Server 20.04 DO NOT specify
  'Port' anywhere - the default is 22. But: it is obviously still
  accumulative: Setting 'Port' to 7722 makes sshd listen on port 7722
  AND 22. This is unwanted.

  Proposed solution: Remove the accumulative behavior for 'Port' and
  REQUIRE the 'Port' parameter like before (and maybe have second and
  later parameters override the earlier ones, like 'everyone else').

  Regards,

  Adriaan

  PS Searching for solutions, I found that specifying 'ListenAddress
  0.0.0.0:7722' stops sshd from listening to port 22. This, however, is
  not documented in 'man 5 sshd_config' and may be an unreliable side-
  effect.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1876320/+subscriptions

More information about the foundations-bugs mailing list