Ubuntu
openssh package

sshd port migration is missing two config lines from jammy to kinetic

Bug #1991199 reported by Daniel Tang
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
High
Steve Langasek
systemd (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

The automatic migration script from jammy to kinetic generates a invalid file for sshd that systemd refuses to read. Manual addition of two lines is required for a functional sshd with a custom port.

This bug can be considered the opposite of https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1990863 . They want to have sshd keep managing the socket while I want to try letting systemd do that.

$ lsb_release -rd
Description: Ubuntu Kinetic Kudu (development branch)
Release: 22.10

$ apt-cache policy openssh-server
openssh-server:
  Installed: 1:9.0p1-1ubuntu6
  Candidate: 1:9.0p1-1ubuntu6
  Version table:
 *** 1:9.0p1-1ubuntu6 500
        500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu kinetic/main amd64 Packages
        100 /var/lib/dpkg/status

$ apt-cache policy systemd
systemd:
  Installed: 251.4-1ubuntu6
  Candidate: 251.4-1ubuntu6
  Version table:
 *** 251.4-1ubuntu6 500
        500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu kinetic/main amd64 Packages
        100 /var/lib/dpkg/status

# Instructions

- Configure /etc/ssh/sshd_config to port 2222 in 22.04
- Upgrade to 22.10 with sudo do-release-upgrade -d
- Accept overwriting /etc/ssh/sshd_config with the new version
- Attempt to ssh into the machine

# Expected behavior

systemd should listen on port 2222 and start sshd.

$ cat /etc/systemd/system/ssh.socket.d/addresses.conf
[Socket]
ListenStream=
ListenStream=2222

$ systemctl status ssh.socket
● ssh.socket - OpenBSD Secure Shell server socket
     Loaded: loaded (/lib/systemd/system/ssh.socket; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/ssh.socket.d
             └─addresses.conf
     Active: active (running) since Thu 2022-09-29 02:08:56 EDT; 9min ago
      Until: Thu 2022-09-29 02:08:56 EDT; 9min ago
   Triggers: ● ssh.service
     Listen: [::]:2222 (Stream)
      Tasks: 0 (limit: 19047)
     Memory: 8.0K
        CPU: 923us
     CGroup: /system.slice/ssh.socket

Sep 29 02:08:56 daniel-desktop2 systemd[1]: Listening on OpenBSD Secure Shell server socket.

# Actual behavior

Port 2222 refuses any connection. Systemd fails to parse the automatically generated file:

$ systemctl status ssh.socket
● ssh.socket - OpenBSD Secure Shell server socket
     Loaded: loaded (/lib/systemd/system/ssh.socket; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/ssh.socket.d
             └─addresses.conf
     Active: active (listening) since Thu 2022-09-29 01:51:57 EDT; 16min ago
      Until: Thu 2022-09-29 01:51:57 EDT; 16min ago
   Triggers: ● ssh.service
     Listen: [::]:22 (Stream)
      Tasks: 0 (limit: 19047)
     Memory: 8.0K
        CPU: 982us
     CGroup: /system.slice/ssh.socket

Sep 29 01:51:57 daniel-desktop2 systemd[1]: Listening on OpenBSD Secure Shell server socket.
Sep 29 01:56:23 daniel-desktop2 systemd[1]: /etc/systemd/system/ssh.socket.d/addresses.conf:1: Assignment outside of section. Ignoring.

$ cat /etc/systemd/system/ssh.socket.d/override.conf
ListenStream=2222

# Analysis

The migration script must be missing the `[Socket]` line and the next one. sshd works after I added those two lines manually. Either the migration script never worked or systemd changed the syntax in the meantime.
---
ProblemType: Bug
ApportVersion: 2.23.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: unknown
DistroRelease: Ubuntu 22.10
MachineType: ASUSTeK COMPUTER INC. K30BF_M32BF_A_F_K31BF_6
Package: systemd 251.4-1ubuntu6
PackageArchitecture: amd64
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-6.0.0-060000rc7-generic root=UUID=29b85a8a-08f8-42be-8629-fb6e88d149d6 ro text pcie_port_pm=off resume=UUID=21d61484-fe9b-4310-9390-d5f5d17510d8
Tags: kinetic
Uname: Linux 6.0.0-060000rc7-generic x86_64
UpgradeStatus: Upgraded to kinetic on 2022-09-29 (0 days ago)
UserGroups: N/A
_MarkForUpload: True
dmi.bios.date: 05/19/2017
dmi.bios.release: 4.6
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 0704
dmi.board.asset.tag: To be filled by O.E.M.
dmi.board.name: K30BF_M32BF_A_F_K31BF_6
dmi.board.vendor: ASUSTeK COMPUTER INC.
dmi.board.version: Rev X.0x
dmi.chassis.asset.tag: Asset-1234567890
dmi.chassis.type: 3
dmi.chassis.vendor: Chassis Manufacture
dmi.chassis.version: Chassis Version
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr0704:bd05/19/2017:br4.6:svnASUSTeKCOMPUTERINC.:pnK30BF_M32BF_A_F_K31BF_6:pvrSystemVersion:rvnASUSTeKCOMPUTERINC.:rnK30BF_M32BF_A_F_K31BF_6:rvrRevX.0x:cvnChassisManufacture:ct3:cvrChassisVersion:skuSKU:
dmi.product.family: Desktop
dmi.product.name: K30BF_M32BF_A_F_K31BF_6
dmi.product.sku: SKU
dmi.product.version: System Version
dmi.sys.vendor: ASUSTeK COMPUTER INC.
modified.conffile..etc.systemd.logind.conf: [modified]
modified.conffile..etc.systemd.sleep.conf: [modified]
mtime.conffile..etc.systemd.logind.conf: 2022-09-29T00:25:31.556533
mtime.conffile..etc.systemd.sleep.conf: 2022-09-29T00:27:46.773607

See original description
Daniel Tang (daniel-z-tg)
description: updated
Revision history for this message
Daniel Tang (daniel-z-tg) wrote : CurrentDmesg.txt

apport information

information type: Public → Private
tags: added: apport-collected kinetic
description: updated
Revision history for this message
Daniel Tang (daniel-z-tg) wrote : Dependencies.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : ProcCpuinfo.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : ProcCpuinfoMinimal.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : ProcEnviron.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : ProcModules.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : SystemdDelta.txt

apport information

information type: Private → Public
Revision history for this message
Nick Rosbrook (enr0n) wrote :

This drop-in is generated by openssh-server.postinst, and systemd is correctly rejecting the drop-in without a [Socket] section.

Changed in systemd (Ubuntu):
status: New → Invalid
Revision history for this message
Nick Rosbrook (enr0n) wrote :

I see the problem in openssh-server.postinst. When only a non-default Port is used (and ListenAddress is left alone), the temporary addresses.conf.new file is never moved to it's final location. So, when the ListenStream=<port> line is appended to the final file, the '[Socket] ...' portion is not there.

Changed in openssh (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
tags: added: foundations-todo
Robie Basak (racb)
tags: added: socket-activation ssh
tags: added: ssh-socket-activation
removed: socket-activation ssh
Revision history for this message
Nick Rosbrook (enr0n) wrote :
Revision history for this message
Steve Langasek (vorlon) wrote :

Thanks for the patch, Nick. We should also make sure that for users that had 1ubuntu6 unpacked, we fix up any broken override file as well.

I have some other changes for openssh in progress and will intend to pick up this fix as part of my next upload.

Changed in openssh (Ubuntu):
assignee: nobody → Steve Langasek (vorlon)
Revision history for this message
Steve Langasek (vorlon) wrote :

I see on review that your patch does fix any broken override files, by virtue of replaying the same upgrade code if upgrading from 1ubuntu6. There are some corner cases where that might not be desirable, but as these are all pre-release versions I think it's ok to ignore these in favor of landing the fix more quickly.

Changed in openssh (Ubuntu):
status: Triaged → In Progress
Steve Langasek (vorlon)
Changed in openssh (Ubuntu):
importance: Medium → High
Steve Langasek (vorlon)
Changed in openssh (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:9.0p1-1ubuntu7

---------------
openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium

  * Update list of stock sshd_config checksums to include those from
    jammy and kinetic.
  * Add a workaround for LP: #1990863 (now fixed in livecd-rootfs) to
    avoid spurious ucf prompts on upgrade.
  * Move /run/sshd creation out of the systemd unit to a tmpfile config
    so that sshd can be run manually if necessary without having to create
    this directory by hand. LP: #1991283.

  [ Nick Rosbrook ]
  * debian/openssh-server.postinst: Fix addresses.conf generation when only
    non-default Port is used in /etc/ssh/sshd_config (LP: #1991199).

 -- Steve Langasek <email address hidden> Mon, 26 Sep 2022 21:55:14 +0000

Changed in openssh (Ubuntu):
status: Fix Committed → Fix Released
Benjamin Drung (bdrung)
tags: removed: foundations-todo
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.