[Bug 1305418] Re: walinuxagent breaks sshd configuration
Robert C Jennings
1305418 at bugs.launchpad.net
Thu Apr 10 20:10:09 UTC 2014
** Description changed:
[Impact]
- * Provisioning with the latest walinuxagent will break sshd_config,
+ * Provisioning with the latest walinuxagent will break sshd_config,
barring sshd from starting. With ssh access often the only means of
access for cloud instances, this is extremely disruptive.
- * A backport of this fix is necessary to retain ssh access after re-
+ * A backport of this fix is necessary to retain ssh access after re-
provisioning an instance hosted on Azure.
- * The current waagent command assumes that sshd_config is terminated
+ * The current waagent command assumes that sshd_config is terminated
with a newline when it appends a config option to the file. There is no
newline and thus this new configuration option is appended to a current
option rendering the config file invalid. The fix is to insert a
newline prior to appending to the config file.
[Test Case]
Steps to reproduce
- * Become familiar with the last line of sshd_config, `tail /etc/ssh/sshd_config`
- It will contain "UsePAM yes" and have new newline at the of the file.
- * Install walinuxagent with `apt-get install walinuxagent`
- * Force re-provisioning by running `waagent -setup`
- * Check the config file with `tail /etc/ssh/sshd_config`. It will now contain:
- "UsePAM yesClientAliveInterval 180"
- * Confirm that the SSH daemon will fail to start. Test by running `/usr/sbin/sshd`. Expected error output is:
- "/etc/ssh/sshd_config line 88: Bad yes/no argument: yesClientAliveInterval"
- At this point, rebooting the OS will result in loss of SSH access.
+ * Become familiar with the last line of sshd_config, `tail /etc/ssh/sshd_config`
+ It will contain "UsePAM yes" and have new newline at the of the file.
+ * Install walinuxagent with `apt-get install waagent`
+ * Force re-provisioning by running `waagent -setup`
+ * Check the config file with `tail /etc/ssh/sshd_config`. It will now contain:
+ "UsePAM yesClientAliveInterval 180"
+ * Confirm that the SSH daemon will fail to start. Test by running `/usr/sbin/sshd`. Expected error output is:
+ "/etc/ssh/sshd_config line 88: Bad yes/no argument: yesClientAliveInterval"
+ At this point, rebooting the OS will result in loss of SSH access.
* Edit /etc/ssh/sshd_config to insert a carriage return after "UsePAM yes" and place "ClientAliveInterval 180" on its own line.
- * Verify that ssh can start again `/usr/sbin/sshd`
+ * Verify that ssh can start again `/usr/sbin/sshd`
[Regression Potential]
- * Regression risk is extremely low, I can't think of a negative impact
+ * Regression risk is extremely low, I can't think of a negative impact
of adding an extra newline to the end of the file before appending
content.
[Other Info]
-
- * Tested in 14.04 and 13.10, PPA builds can be found at ppa:~rcj/testing for thos packages.
- * Repeated re-provisioning will add new newline characters, which will add whitespace prior to the new config option. This whitespace will grow by one line with each re-provisioning; but this is a rare operation. Given the code structure it was far safer to address this by unconditionally adding the newline rather than adding complexity to check that it was absolutely needed.
+ * Tested in 14.04 and 13.10, PPA builds can be found at ppa:~rcj/testing for thos packages.
+ * Repeated re-provisioning will add new newline characters, which will add whitespace prior to the new config option. This whitespace will grow by one line with each re-provisioning; but this is a rare operation. Given the code structure it was far safer to address this by unconditionally adding the newline rather than adding complexity to check that it was absolutely needed.
[ Original Description Follows ]
After installing the latest walinuxagent package on Ubuntu 13.10 I see
that we end up with a broken configuration in /etc/ssh/sshd_config. The
last line in that file looks like the following:
UsePAM yesClientAliveInterval 180
This is the result of the agent package re-running "waagent -setup,"
which wants to append the "ClientAliveInterval 180" parameter to
/etc/ssh/sshd_config to avoid timeouts with the Azure load balancer
(which has a 4 minute timeout). But currently waagent assumes there is
a "\n" at the end of this file.
We could fix this bug in the agent to always add "\n" to the front of
this parameter (maybe a good idea) or there may be another way to fix
this.
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1305418
Title:
walinuxagent breaks sshd configuration
Status in “walinuxagent” package in Ubuntu:
In Progress
Bug description:
[Impact]
* Provisioning with the latest walinuxagent will break sshd_config,
barring sshd from starting. With ssh access often the only means of
access for cloud instances, this is extremely disruptive.
* A backport of this fix is necessary to retain ssh access after re-
provisioning an instance hosted on Azure.
* The current waagent command assumes that sshd_config is terminated
with a newline when it appends a config option to the file. There is
no newline and thus this new configuration option is appended to a
current option rendering the config file invalid. The fix is to
insert a newline prior to appending to the config file.
[Test Case]
Steps to reproduce
* Become familiar with the last line of sshd_config, `tail /etc/ssh/sshd_config`
It will contain "UsePAM yes" and have new newline at the of the file.
* Install walinuxagent with `apt-get install waagent`
* Force re-provisioning by running `waagent -setup`
* Check the config file with `tail /etc/ssh/sshd_config`. It will now contain:
"UsePAM yesClientAliveInterval 180"
* Confirm that the SSH daemon will fail to start. Test by running `/usr/sbin/sshd`. Expected error output is:
"/etc/ssh/sshd_config line 88: Bad yes/no argument: yesClientAliveInterval"
At this point, rebooting the OS will result in loss of SSH access.
* Edit /etc/ssh/sshd_config to insert a carriage return after "UsePAM yes" and place "ClientAliveInterval 180" on its own line.
* Verify that ssh can start again `/usr/sbin/sshd`
[Regression Potential]
* Regression risk is extremely low, I can't think of a negative
impact of adding an extra newline to the end of the file before
appending content.
[Other Info]
* Tested in 14.04 and 13.10, PPA builds can be found at ppa:~rcj/testing for thos packages.
* Repeated re-provisioning will add new newline characters, which will add whitespace prior to the new config option. This whitespace will grow by one line with each re-provisioning; but this is a rare operation. Given the code structure it was far safer to address this by unconditionally adding the newline rather than adding complexity to check that it was absolutely needed.
[ Original Description Follows ]
After installing the latest walinuxagent package on Ubuntu 13.10 I see
that we end up with a broken configuration in /etc/ssh/sshd_config.
The last line in that file looks like the following:
UsePAM yesClientAliveInterval 180
This is the result of the agent package re-running "waagent -setup,"
which wants to append the "ClientAliveInterval 180" parameter to
/etc/ssh/sshd_config to avoid timeouts with the Azure load balancer
(which has a 4 minute timeout). But currently waagent assumes there
is a "\n" at the end of this file.
We could fix this bug in the agent to always add "\n" to the front of
this parameter (maybe a good idea) or there may be another way to fix
this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/walinuxagent/+bug/1305418/+subscriptions
More information about the Ubuntu-sponsors
mailing list