[Bug 2037703] Re: dpkg-reconfigure openssh-server doesn't ask questions again

Martin Pitt 2037703 at bugs.launchpad.net
Thu Dec 21 02:35:52 UTC 2023 

We just ran into this in https://github.com/cockpit-
project/bots/issues/5691 when trying to refresh our Ubuntu 23.10 mantic
VM image. It starts with the current cloud image and then apt upgrades
it, with "DEBIAN_FRONTEND=noninteractive". openssh was updated a few
days ago indeed:

  Setting up openssh-server (1:9.3p1-1ubuntu3.1) ...
  Creating SSH2 ECDSA key; this may take some time ...
  256 SHA256:UqrRSpQNM7SIixVivYP/WwZRjt7Sv89P31W/Gxaf+Z8 root at ubuntu (ECDSA)
  Creating SSH2 ED25519 key; this may take some time ...
  256 SHA256:hy9AEDydfnZeY9nf9P4Sb90kx39Oqr101A6tz5j4RQw root at ubuntu (ED25519)
  rescue-ssh.target is a disabled or a static unit not running, not starting it.
  Could not execute systemctl:  at /usr/bin/deb-systemd-invoke line 145.
  dpkg: error processing package openssh-server (--configure):
   installed openssh-server package post-installation script subprocess returned error exit status 1


I.e. of course that security update itself didn't introduce the regression, but earlier VM builds just didn't have a pending openssh update -- looks like this has been a luring upgrade trap in the release already.


However, as a first naïve reproducer I tried

  apt update
  DEBIAN_FRONTEND=noninteractive apt update openssh-server

on our current VM (with the release version 1:9.3p1-1ubuntu3), and that
worked fine. Same with installing all 9 available packages.
rescue.target is loaded/inactive/static, as it should be. Updating
without DEBIAN_FRONTEND does show me a conffile prompt about
/etc/ssh/sshd_config, which is justified as we do modify the config:

  # Allow root login with password
  sed -i 's/^[# ]*PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config
  # Prevent SSH from hanging for a long time when no external network access
  echo 'UseDNS no' >> /etc/ssh/sshd_config

this also leads to a merge conflict. However, I suppose all of that is
tangential to the rescue-ssh.target  issue. In all my interactive
upgrades, it seemed to handle that just fine:

  Setting up openssh-server (1:9.3p1-1ubuntu3.1) ...
  rescue-ssh.target is a disabled or a static unit not running, not starting it.

So this seems to be related to the first-time installation of openssh-
server -- it is part of the cloud image, but it does the host key
generation during our image builds.


So reproducing this is a bit tricky, but aside from that: Why does it even do this in the first place?

# Automatically added by dh_installsystemd/13.11.6ubuntu1
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
        if [ -d /run/systemd/system ]; then
                systemctl --system daemon-reload >/dev/null || true
                if [ -n "$2" ]; then
                        _dh_action=restart
                else
                        _dh_action=start
                fi
                deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true
        fi
fi

It feels like the postinst should *never* try to start rescue-
ssh.target. That's an alternative boot mode, and should never run un
multi-user.target, isn't it?

[1] https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.1

** Bug watch added: github.com/cockpit-project/bots/issues #5691
   https://github.com/cockpit-project/bots/issues/5691

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2037703

Title:
  dpkg-reconfigure openssh-server doesn't ask questions again

Status in openssh package in Ubuntu:
  New

Bug description:
  openssh-server does provide a couple of configuration options:

  [~]$ sudo debconf-get-selections |grep openssh-server
  openssh-server	openssh-server/listenstream-may-fail	error	
  openssh-server	openssh-server/password-authentication	boolean	true
  openssh-server	openssh-server/permit-root-login	boolean	true

  
  I want to change those options now interactively but nothing I tried worked and showed a dialog:

  [~]$ sudo dpkg-reconfigure -p low openssh-server      
  Warning: Stopping ssh.service, but it can still be activated by:
    ssh.socket
  rescue-ssh.target is a disabled or a static unit not running, not starting it.

  [~]$ sudo dpkg-reconfigure -p low --force --frontend dialog openssh-server
  Warning: Stopping ssh.service, but it can still be activated by:
    ssh.socket
  rescue-ssh.target is a disabled or a static unit not running, not starting it.


  But the documentation (https://manpages.debian.org/testing/debconf-
  doc/debconf.7.en.html#Reconfiguring_packages) does state that those
  commands should ask those questions again.

  
  p.s. also tried with a lxc debian-sid container and had the same problem there.

  ProblemType: Bug
  DistroRelease: Ubuntu 23.10
  Package: openssh-server 1:9.3p1-1ubuntu3
  ProcVersionSignature: Ubuntu 6.5.0-5.5-generic 6.5.0
  Uname: Linux 6.5.0-5-generic x86_64
  NonfreeKernelModules: zfs
  ApportVersion: 2.27.0-0ubuntu2
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Sep 29 10:35:33 2023
  InstallationDate: Installed on 2023-05-10 (142 days ago)
  InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230418)
  ProcEnviron:
   LANG=en_US.UTF-8
   PATH=(custom, no user)
   SHELL=/usr/bin/zsh
   TERM=xterm-256color
   XDG_RUNTIME_DIR=<set>
  SourcePackage: openssh
  UpgradeStatus: Upgraded to mantic on 2023-07-19 (71 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2037703/+subscriptions

More information about the foundations-bugs mailing list