I took another look, and this turns out to be simpler than I thought.
The problem is that we explicitly attempt to parse the server match
config (an unnecessary copypasta from sshd -T code path). But, in the
generator, we only care about options that affect the listening
addresses, and the match section is for modifying settings on a per-
connection basis.
Hence, the fix for this is to just not attempt to parse the match
config, as it requires a connection spec, which we cannot have at
generator time.
** Changed in: openssh (Ubuntu Oracular)
Status: Confirmed => Triaged
** Changed in: openssh (Ubuntu Noble)
Status: New => Triaged
** Changed in: openssh (Ubuntu Noble)
Importance: Undecided => Medium
** Changed in: openssh (Ubuntu Noble)
Assignee: (unassigned) => Nick Rosbrook (enr0n)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2076023
Title:
Failed to apply 'Match' directive in sshd_config with sshd-socket-
generator
Status in openssh package in Ubuntu:
Triaged
Status in openssh source package in Noble:
Triaged
Status in openssh source package in Oracular:
Triaged
Bug description:
When using the Match statement in sshd_config or sshd_config.d/*.conf
with socket activation(not classic method), sshd does not start as
expected.
Environment:
Ubuntu: Ubuntu 24.04 LTS
OpenSSH Server: 1:9.6p1-3ubuntu13.4
Steps to Reproduce:
/etc/ssh/sshd_config
```
Include /etc/ssh/sshd_config.d/*.conf
Port 22
Port 22222
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Match LocalPort 22222
PasswordAuthentication no
PubkeyAuthentication yes
```
command:
sudo systemctl daemon-reload && sudo systemctl restart ssh.socket
Expected Behavior:
sshd should listen on both ports 22 and 22222.
When connecting via port 22222, password login should not be allowed and only
public key authentication should be permitted.
Actual Behavior:
sshd only listens on port 22 and not on port 22222. The configuration
is not correctly applied.
After daemon-reload, the output from journalctl is as follows:
$ sudo journalctl -t (sd-exec-
Aug 04 12:47:36 ults (sd-exec-[479259]:
/usr/lib/systemd/system-generators/sshd-socket-generator failed with exit
status 255.
Additional Information:
1.Using sshd -T -C to test the configuration produces the following result:
$ sudo sshd -T -C lport=22 | grep passwordauthentication
passwordauthentication yes
$ sudo sshd -T -C lport=22222 | grep passwordauthentication
passwordauthentication no
2.The output when manually running
/usr/lib/systemd/system-generators/sshd-socket-generator is:
$ sudo /usr/lib/systemd/system-generators/sshd-socket-generator ./
'Match LocalPort' in configuration but 'lport' not in connection test
specification.
3.I have test some cases, if sshd-socket-generator can not handle
config rightly, sshd seems to run with default config.
And I also noticed that there is no test case about the Match directive in
https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/tests/sshd-socket-generator.
I guess the root cause of the issue lies in the sshd-socket-generator
not correctly handling the Match directive.
And a detailed assessment of potential security issues which caused by
this bug is needed.
If socket activation is to be widely adopted, this issue will
undoubtedly be a significant stumbling block.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2076023/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
