** Description changed: + [Impact] + + When users have a Match section in their sshd config, their + configuration cannot be parsed by the sshd-socket-generator (because + there is no connection, hence no connection spec to be matched), and the + generator fails. This means no custom config is applied at all. + + [Test Plan] + + 1. On a noble system with sshd installed, create a drop-in config with a + Match directive, and run the generator locally: + + $ cat > /etc/ssh/sshd_config.d/custom.conf << EOF + Port 1234 + Match LocalPort 22 + PasswordAuthentication no + EOF + $ /lib/systemd/system-generators/sshd-socket-generator . + 'Match LocalPort' in configuration but 'lport' not in connection test specification. + + On an affected system, the above error will be shown. On a patched + system, the generator will succeed, and + /run/system/generator/ssh.socket.d/addresses.conf will reflect the Port + 1234 option. + + 2. A new subtest was added to debian/tests/sshd-socket-generator, + test_match_port. It does the same as the above, and should pass in + autopkgtest. + + [Where problems could occur] + + This patch simply removes the code from sshd-socket-generator that tries + to parse the match config. If problems did occur, it would be related to + the generator again. Specifically, it would likely be related to + missing/unparsed options. + + [Original Description] + When using the Match statement in sshd_config or sshd_config.d/*.conf with socket activation(not classic method), sshd does not start as expected. Environment: Ubuntu: Ubuntu 24.04 LTS OpenSSH Server: 1:9.6p1-3ubuntu13.4 - Steps to Reproduce: /etc/ssh/sshd_config ``` Include /etc/ssh/sshd_config.d/*.conf Port 22 Port 22222 KbdInteractiveAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server Match LocalPort 22222 - PasswordAuthentication no - PubkeyAuthentication yes + PasswordAuthentication no + PubkeyAuthentication yes ``` command: sudo systemctl daemon-reload && sudo systemctl restart ssh.socket - Expected Behavior: sshd should listen on both ports 22 and 22222. When connecting via port 22222, password login should not be allowed and only public key authentication should be permitted. - Actual Behavior: sshd only listens on port 22 and not on port 22222. The configuration is not correctly applied. After daemon-reload, the output from journalctl is as follows: $ sudo journalctl -t (sd-exec- Aug 04 12:47:36 ults (sd-exec-[479259]: /usr/lib/systemd/system-generators/sshd-socket-generator failed with exit status 255. - Additional Information: 1.Using sshd -T -C to test the configuration produces the following result: $ sudo sshd -T -C lport=22 | grep passwordauthentication passwordauthentication yes $ sudo sshd -T -C lport=22222 | grep passwordauthentication passwordauthentication no 2.The output when manually running /usr/lib/systemd/system-generators/sshd-socket-generator is: $ sudo /usr/lib/systemd/system-generators/sshd-socket-generator ./ 'Match LocalPort' in configuration but 'lport' not in connection test specification. 3.I have test some cases, if sshd-socket-generator can not handle config rightly, sshd seems to run with default config. - - And I also noticed that there is no test case about the Match directive in https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/tests/sshd-socket-generator. + And I also noticed that there is no test case about the Match directive + in + https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/tests/sshd- + socket-generator. I guess the root cause of the issue lies in the sshd-socket-generator not correctly handling the Match directive. And a detailed assessment of potential security issues which caused by this bug is needed. If socket activation is to be widely adopted, this issue will undoubtedly be a significant stumbling block.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2076023 Title: Failed to apply 'Match' directive in sshd_config with sshd-socket- generator To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2076023/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
