[Bug 1305418] Re: [SRU] walinuxagent breaks sshd configuration

Thu Apr 10 20:51:32 UTC 2014

Uploaded fix for Trusty.

** Summary changed:

- walinuxagent breaks sshd configuration
+ [SRU] walinuxagent breaks sshd configuration

** Also affects: walinuxagent (Ubuntu Saucy)
   Importance: Undecided
       Status: New

** Also affects: walinuxagent (Ubuntu Trusty)
   Importance: Critical
     Assignee: Robert C Jennings (rcj)
       Status: In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1305418

Title:
  [SRU] walinuxagent breaks sshd configuration

Status in “walinuxagent” package in Ubuntu:
  In Progress
Status in “walinuxagent” source package in Saucy:
  New
Status in “walinuxagent” source package in Trusty:
  In Progress

Bug description:
  [Impact]

   * Provisioning with the latest walinuxagent will break sshd_config,
  barring sshd from starting.  With ssh access often the only means of
  access for cloud instances, this is extremely disruptive.

   * A backport of this fix is necessary to retain ssh access after re-
  provisioning an instance hosted on Azure.

   * The current waagent command assumes that sshd_config is terminated
  with a newline when it appends a config option to the file.  There is
  no newline and thus this new configuration option is appended to a
  current option rendering the config file invalid.  The fix is to
  insert a newline prior to appending to the config file.

  [Test Case]

  Steps to reproduce
   * Become familiar with the last line of sshd_config, `tail /etc/ssh/sshd_config`
      It will contain "UsePAM yes" and have new newline at the of the file.
   * Install walinuxagent with `apt-get install waagent`
   * Force re-provisioning by running `waagent -setup`
   * Check the config file with `tail /etc/ssh/sshd_config`. It will now contain:
      "UsePAM yesClientAliveInterval 180"
   * Confirm that the SSH daemon will fail to start.  Test by running `/usr/sbin/sshd`. Expected error output is:
      "/etc/ssh/sshd_config line 88: Bad yes/no argument: yesClientAliveInterval"
     At this point, rebooting the OS will result in loss of SSH access.
  * Edit /etc/ssh/sshd_config to insert a carriage return after "UsePAM yes" and place "ClientAliveInterval 180" on its own line.
   * Verify that ssh can start again `/usr/sbin/sshd`

  [Regression Potential]

   * Regression risk is extremely low, I can't think of a negative
  impact of adding an extra newline to the end of the file before
  appending content.

  [Other Info]

   * Tested in 14.04 and 13.10, PPA builds can be found at ppa:~rcj/testing for thos packages.
   * Repeated re-provisioning will add new newline characters, which will add whitespace prior to the new config option.  This whitespace will grow by one line with each re-provisioning; but this is a rare operation.  Given the code structure it was far safer to address this by unconditionally adding the newline rather than adding complexity to check that it was absolutely needed.

  [ Original Description Follows ]

  After installing the latest walinuxagent package on Ubuntu 13.10 I see
  that we end up with a broken configuration in /etc/ssh/sshd_config.
  The last line in that file looks like the following:

     UsePAM yesClientAliveInterval 180

  This is the result of the agent package re-running "waagent -setup,"
  which wants to append the "ClientAliveInterval 180" parameter to
  /etc/ssh/sshd_config to avoid timeouts with the Azure load balancer
  (which has a 4 minute timeout).  But currently waagent assumes there
  is a "\n" at the end of this file.

  We could fix this bug in the agent to always add "\n" to the front of
  this parameter (maybe a good idea) or there may be another way to fix
  this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/walinuxagent/+bug/1305418/+subscriptions