The verification of the Stable Release Update for openssh has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1876320 Title: Port parameter sshd_config is 22 AND whatever you specify Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Focal: Fix Released Status in openssh package in Debian: Fix Released Bug description: [Impact] * The "Port" option in sshd_config is accumulative, but due to a bug re- adds the default when an include is encountered. Therefore we have these cases a) Port 722 Listens on 722 (correct) b) Port 722 Port 2222 Listens on 722 & 2222 (correct) c) Port 722 include /path/to/otherconfig Listens on 722 & 22 (applied defaults as if Port was unset) * Of the above (c) is a bug, not documented that way and can lead to open ports not expected and not wanted. [Test Case] * Test if defaults are applied even if option is specified Rename sshd_config to something_else and replace sshd_config with two lines to include the original config (now called something_else) and set the Port to 7722: systemctl stop ssh mv /etc/ssh/sshd_config /etc/ssh/something_else cat > /etc/ssh/sshd_config <<EOF Include /etc/ssh/something_else Port 7722 EOF systemctl start ssh systemctl status ssh # restore the original config: mv /etc/ssh/something_else /etc/ssh/sshd_config Which will show: ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2020-05-02 15:31:37 UTC; 13s ago Docs: man:sshd(8) man:sshd_config(5) Process: 45261 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 45271 (sshd) Tasks: 1 (limit: 18457) Memory: 1.3M CGroup: /system.slice/ssh.service └─45271 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups May 02 15:31:37 cabernet systemd[1]: Starting OpenBSD Secure Shell server... May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 7722. May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 7722. May 02 15:31:37 cabernet sshd[45271]: Server listening on 0.0.0.0 port 22. May 02 15:31:37 cabernet sshd[45271]: Server listening on :: port 22. May 02 15:31:37 cabernet systemd[1]: Started OpenBSD Secure Shell server. So, NOW it will have ports 22 AND 7722 open! With the fix this should no more happen. * Test if multiple options still work [Regression Potential] * The change itself isn't very invasive and I don't expect it to break it with crashes or similar. But if people didn't realize that this is a bug, they might have a config in place and somewhat rely on the broken behavior. It is good thou that (a) (b) of above are the common cases and won't change. Further even if a user used (c) the explicitly configured port will still work. Fortunately it is early in the Focal lifetime and it was the one introducting the 'include' feature - therefore I'd expect not too many people using it yet. [Other Info] * n/a ---- On my Ubuntu Server 20.04 LTS with OpenSSH 1:8.2p1-4, I have TWO sshd deamons. One (on port 22) is for internal use, accepts passwords etc. The second (on port 7722) does not allow PAM use and no passwords, allows only one user(name) and uses an alternative autorized_keys file (that only root can edit). Any parameter FIRST encountered in sshd_config is the one that is accepted; others do not override (like in many other config files). There is one exception: 'Port', which is accumulative. To make life easier, I set the more restrictive parameters for port 7722 first and next include the system-default /etc/ssh/sshd_config. The /etc/ssh/sshd_config file(s) in Ubuntu Server 20.04 DO NOT specify 'Port' anywhere - the default is 22. But: it is obviously still accumulative: Setting 'Port' to 7722 makes sshd listen on port 7722 AND 22. This is unwanted. Proposed solution: Remove the accumulative behavior for 'Port' and REQUIRE the 'Port' parameter like before (and maybe have second and later parameters override the earlier ones, like 'everyone else'). Regards, Adriaan PS Searching for solutions, I found that specifying 'ListenAddress 0.0.0.0:7722' stops sshd from listening to port 22. This, however, is not documented in 'man 5 sshd_config' and may be an unreliable side- effect. To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1876320/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
