[Bug 2076023] Re: Failed to apply 'Match' directive in sshd_config with sshd-socket-generator

Wed Oct 23 06:14:03 UTC 2024

Hello Enorize, or anyone else affected,

Accepted openssh into noble-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.6 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
noble to verification-done-noble. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-noble. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: openssh (Ubuntu Noble)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-noble

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2076023

Title:
  Failed to apply 'Match' directive in sshd_config with sshd-socket-
  generator

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Noble:
  Fix Committed
Status in openssh source package in Oracular:
  Fix Released

Bug description:
  [Impact]

  When users have a Match section in their sshd config, their
  configuration cannot be parsed by the sshd-socket-generator (because
  there is no connection, hence no connection spec to be matched), and
  the generator fails. This means no custom config is applied at all.

  [Test Plan]

  1. On a noble system with sshd installed, create a drop-in config with
  a Match directive, and run the generator locally:

  $ cat > /etc/ssh/sshd_config.d/custom.conf << EOF
  Port 1234
  Match LocalPort 22
      PasswordAuthentication no
  EOF
  $ /lib/systemd/system-generators/sshd-socket-generator .
  'Match LocalPort' in configuration but 'lport' not in connection test specification.

  On an affected system, the above error will be shown. On a patched
  system, the generator will succeed, and ./ssh.socket.d/addresses.conf
  will reflect the Port 1234 option.

  2. A new subtest was added to debian/tests/sshd-socket-generator,
  test_match_port. It does the same as the above, and should pass in
  autopkgtest.

  [Where problems could occur]

  This patch simply removes the code from sshd-socket-generator that
  tries to parse the match config. If problems did occur, it would be
  related to the generator again. Specifically, it would likely be
  related to missing/unparsed options.

  [Original Description]

  When using the Match statement in sshd_config or sshd_config.d/*.conf
  with socket activation(not classic method), sshd does not start as
  expected.

  Environment:

  Ubuntu: Ubuntu 24.04 LTS
  OpenSSH Server: 1:9.6p1-3ubuntu13.4

  Steps to Reproduce:

  /etc/ssh/sshd_config
  ```
  Include /etc/ssh/sshd_config.d/*.conf
  Port 22
  Port 22222
  KbdInteractiveAuthentication no
  UsePAM yes
  X11Forwarding yes
  PrintMotd no
  AcceptEnv LANG LC_*
  Subsystem	sftp	/usr/lib/openssh/sftp-server
  Match LocalPort 22222
      PasswordAuthentication no
      PubkeyAuthentication yes
  ```

  command:

  sudo systemctl daemon-reload && sudo systemctl restart ssh.socket

  Expected Behavior:

  sshd should listen on both ports 22 and 22222.
  When connecting via port 22222, password login should not be allowed and only public key authentication should be permitted.

  Actual Behavior:

  sshd only listens on port 22 and not on port 22222. The configuration
  is not correctly applied.

  After daemon-reload, the output from journalctl is as follows:

  $ sudo journalctl -t (sd-exec-
  Aug 04 12:47:36 ults (sd-exec-[479259]: /usr/lib/systemd/system-generators/sshd-socket-generator failed with exit status 255.

  Additional Information:

  1.Using sshd -T -C to test the configuration produces the following result:
  $ sudo sshd -T -C lport=22 | grep passwordauthentication
  passwordauthentication yes

  $ sudo sshd -T -C lport=22222 | grep passwordauthentication
  passwordauthentication no

  2.The output when manually running /usr/lib/systemd/system-generators/sshd-socket-generator is:
  $ sudo /usr/lib/systemd/system-generators/sshd-socket-generator ./
  'Match LocalPort' in configuration but 'lport' not in connection test specification.

  3.I have test some cases, if sshd-socket-generator can not handle
  config rightly, sshd seems to run with default config.

  And I also noticed that there is no test case about the Match
  directive in
  https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/tests/sshd-
  socket-generator.

  I guess the root cause of the issue lies in the sshd-socket-generator
  not correctly handling the Match directive.

  And a detailed assessment of potential security issues which caused by
  this bug is needed.

  If socket activation is to be widely adopted, this issue will
  undoubtedly be a significant stumbling block.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2076023/+subscriptions