[Bug 1990863] Re: conversion from sshd service to socket is too bumpy

Wed Sep 28 01:29:48 UTC 2022

Hello,

I am unclear about why you are asking for the contents of my sshd_config
file, given that the problem I described here isn't the merge conflict,
but rather what happens in terms of the migration from ssh service to
socket when the user opts to install the vendor version of sshd_config
as a result of the merge conflict. You're not going to be able to
entirely avoid merge conflicts, so you need to come up with a better way
to handle this conversion, e.g., by migrating the address and port
settings from sshd_config to listen.conf in a preinst script that runs
before dpkg tries to install the new sshd_config.

In any case, I can't tell you exactly what was in my sshd_config before
the problem occurred because, as I indicated, I've upgraded my machine
to Kinetic and in the process replaced sshd_config. However, I believe
it looked approximately like this:

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
PermitRootLogin without-password
PasswordAuthentication no
Port 22
Port 2223

** Changed in: openssh (Ubuntu)
       Status: Incomplete => New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1990863

Title:
  conversion from sshd service to socket is too bumpy

Status in openssh package in Ubuntu:
  New

Bug description:
  During upgrade from Jammy to Kinetic, I get asked what to do because
  my sshd_config has been modified. I say to do a 3-way merge. It says
  3-way merge fails. I shrug, figure I'll just restore my customizations
  with Ansible after the upgrade like I always do, and tell it to use
  the vendor version of the file. This removes my custom Port settings,
  so they are not migrated over to the ssh.socket settings like
  https://discourse.ubuntu.com/t/sshd-now-uses-socket-based-activation-
  ubuntu-22-10-and-later/30189 says they would be. I subsequently run my
  Ansible which restores the customizations and enables the ssh service,
  but now ssh.service and ssh.socket are enabled at the same time, sshd
  isn't listening on my specified ports, and everything is a mess. I've
  never used socket-based activation before and have no idea how to
  configure it so now I have to go reading man pages, Googling all over
  the place, and generally struggle to figure out what the heck is going
  wrong.

  I don't know what the right answer is here, but I really feel like
  some effort needs to be put into figuring out a smoother transition
  for people who are upgrading to Kinetic.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.10
  Package: openssh-server 1:9.0p1-1ubuntu6
  ProcVersionSignature: Ubuntu 5.19.0-15.15-generic 5.19.0
  Uname: Linux 5.19.0-15-generic x86_64
  ApportVersion: 2.23.0-0ubuntu2
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Mon Sep 26 11:41:58 2022
  InstallationDate: Installed on 2019-08-16 (1136 days ago)
  InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416)
  SourcePackage: openssh
  UpgradeStatus: Upgraded to kinetic on 2022-09-24 (1 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1990863/+subscriptions