[Bug 2076023] [NEW] Failed to apply 'Match' directive in sshd_config with sshd-socket-generator

Enorize 2076023 at bugs.launchpad.net
Sun Aug 4 05:20:15 UTC 2024 

Public bug reported:

When using the Match statement in sshd_config or sshd_config.d/*.conf
with socket activation(not classic method), sshd does not start as
expected.

Environment:

Ubuntu: Ubuntu 24.04 LTS
OpenSSH Server: 1:9.6p1-3ubuntu13.4


Steps to Reproduce:

/etc/ssh/sshd_config
```
Include /etc/ssh/sshd_config.d/*.conf
Port 22
Port 22222
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem	sftp	/usr/lib/openssh/sftp-server
Match LocalPort 22222
    PasswordAuthentication no
    PubkeyAuthentication yes
```

command:

sudo systemctl daemon-reload && sudo systemctl restart ssh.socket


Expected Behavior:

sshd should listen on both ports 22 and 22222.
When connecting via port 22222, password login should not be allowed and only public key authentication should be permitted.


Actual Behavior:

sshd only listens on port 22 and not on port 22222. The configuration is
not correctly applied.

After daemon-reload, the output from journalctl is as follows:

$ sudo journalctl -t (sd-exec-
Aug 04 12:47:36 ults (sd-exec-[479259]: /usr/lib/systemd/system-generators/sshd-socket-generator failed with exit status 255.


Additional Information:

1.Using sshd -T -C to test the configuration produces the following result:
$ sudo sshd -T -C lport=22 | grep passwordauthentication
passwordauthentication yes

$ sudo sshd -T -C lport=22222 | grep passwordauthentication
passwordauthentication no

2.The output when manually running /usr/lib/systemd/system-generators/sshd-socket-generator is:
$ sudo /usr/lib/systemd/system-generators/sshd-socket-generator ./
'Match LocalPort' in configuration but 'lport' not in connection test specification.

3.I have test some cases, if sshd-socket-generator can not handle config
rightly, sshd seems to run with default config.


And I also noticed that there is no test case about the Match directive in https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/tests/sshd-socket-generator. 

I guess the root cause of the issue lies in the sshd-socket-generator
not correctly handling the Match directive.

And a detailed assessment of potential security issues which caused by
this bug is needed.

If socket activation is to be widely adopted, this issue will
undoubtedly be a significant stumbling block.

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2076023

Title:
  Failed to apply 'Match' directive in sshd_config with sshd-socket-
  generator

Status in openssh package in Ubuntu:
  New

Bug description:
  When using the Match statement in sshd_config or sshd_config.d/*.conf
  with socket activation(not classic method), sshd does not start as
  expected.

  Environment:

  Ubuntu: Ubuntu 24.04 LTS
  OpenSSH Server: 1:9.6p1-3ubuntu13.4


  Steps to Reproduce:

  /etc/ssh/sshd_config
  ```
  Include /etc/ssh/sshd_config.d/*.conf
  Port 22
  Port 22222
  KbdInteractiveAuthentication no
  UsePAM yes
  X11Forwarding yes
  PrintMotd no
  AcceptEnv LANG LC_*
  Subsystem	sftp	/usr/lib/openssh/sftp-server
  Match LocalPort 22222
      PasswordAuthentication no
      PubkeyAuthentication yes
  ```

  command:

  sudo systemctl daemon-reload && sudo systemctl restart ssh.socket


  Expected Behavior:

  sshd should listen on both ports 22 and 22222.
  When connecting via port 22222, password login should not be allowed and only public key authentication should be permitted.

  
  Actual Behavior:

  sshd only listens on port 22 and not on port 22222. The configuration
  is not correctly applied.

  After daemon-reload, the output from journalctl is as follows:

  $ sudo journalctl -t (sd-exec-
  Aug 04 12:47:36 ults (sd-exec-[479259]: /usr/lib/systemd/system-generators/sshd-socket-generator failed with exit status 255.


  Additional Information:

  1.Using sshd -T -C to test the configuration produces the following result:
  $ sudo sshd -T -C lport=22 | grep passwordauthentication
  passwordauthentication yes

  $ sudo sshd -T -C lport=22222 | grep passwordauthentication
  passwordauthentication no

  2.The output when manually running /usr/lib/systemd/system-generators/sshd-socket-generator is:
  $ sudo /usr/lib/systemd/system-generators/sshd-socket-generator ./
  'Match LocalPort' in configuration but 'lport' not in connection test specification.

  3.I have test some cases, if sshd-socket-generator can not handle
  config rightly, sshd seems to run with default config.

  
  And I also noticed that there is no test case about the Match directive in https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/tests/sshd-socket-generator. 

  I guess the root cause of the issue lies in the sshd-socket-generator
  not correctly handling the Match directive.

  And a detailed assessment of potential security issues which caused by
  this bug is needed.

  If socket activation is to be widely adopted, this issue will
  undoubtedly be a significant stumbling block.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2076023/+subscriptions

More information about the foundations-bugs mailing list