** Tags added: sshd-socket-generator ** Tags added: no
** Tags removed: no ** Tags added: noble -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2076023 Title: Failed to apply 'Match' directive in sshd_config with sshd-socket- generator Status in openssh package in Ubuntu: New Bug description: When using the Match statement in sshd_config or sshd_config.d/*.conf with socket activation(not classic method), sshd does not start as expected. Environment: Ubuntu: Ubuntu 24.04 LTS OpenSSH Server: 1:9.6p1-3ubuntu13.4 Steps to Reproduce: /etc/ssh/sshd_config ``` Include /etc/ssh/sshd_config.d/*.conf Port 22 Port 22222 KbdInteractiveAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server Match LocalPort 22222 PasswordAuthentication no PubkeyAuthentication yes ``` command: sudo systemctl daemon-reload && sudo systemctl restart ssh.socket Expected Behavior: sshd should listen on both ports 22 and 22222. When connecting via port 22222, password login should not be allowed and only public key authentication should be permitted. Actual Behavior: sshd only listens on port 22 and not on port 22222. The configuration is not correctly applied. After daemon-reload, the output from journalctl is as follows: $ sudo journalctl -t (sd-exec- Aug 04 12:47:36 ults (sd-exec-[479259]: /usr/lib/systemd/system-generators/sshd-socket-generator failed with exit status 255. Additional Information: 1.Using sshd -T -C to test the configuration produces the following result: $ sudo sshd -T -C lport=22 | grep passwordauthentication passwordauthentication yes $ sudo sshd -T -C lport=22222 | grep passwordauthentication passwordauthentication no 2.The output when manually running /usr/lib/systemd/system-generators/sshd-socket-generator is: $ sudo /usr/lib/systemd/system-generators/sshd-socket-generator ./ 'Match LocalPort' in configuration but 'lport' not in connection test specification. 3.I have test some cases, if sshd-socket-generator can not handle config rightly, sshd seems to run with default config. And I also noticed that there is no test case about the Match directive in https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/tests/sshd-socket-generator. I guess the root cause of the issue lies in the sshd-socket-generator not correctly handling the Match directive. And a detailed assessment of potential security issues which caused by this bug is needed. If socket activation is to be widely adopted, this issue will undoubtedly be a significant stumbling block. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2076023/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
