I have confirmed the fix using openssh-server 1:9.6p1-3ubuntu13.9 from
noble-proposed:
First, I confirmed the bug was present on this system:
root@noble:~# cat > /etc/ssh/sshd_config.d/custom.conf << EOF
> Port 1234
> Match LocalPort 22
PasswordAuthentication no
EOF
root@noble:~# /lib/systemd/system-generators/sshd-socket-generator .
'Match LocalPort' in configuration but 'lport' not in connection test
specification.
Then I installed openssh-server from noble-proposed:
root@noble:~# cat > /etc/apt/sources.list.d/proposed.sources << EOF
Types: deb
URIs: http://us.archive.ubuntu.com/ubuntu/
Suites: noble-proposed
Components: main universe
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
EOF
root@noble:~# apt update && apt install -t noble-proposed openssh-server -y
Get:1 http://us.archive.ubuntu.com/ubuntu noble-proposed InRelease [265 kB]
Hit:2 http://archive.ubuntu.com/ubuntu noble InRelease
Get:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Get:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB]
Get:5 http://security.ubuntu.com/ubuntu noble-security InRelease [126 kB]
Get:6 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages [15.0 MB]
Get:7 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
[206 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu noble-proposed/main Translation-en
[54.1 kB]
Get:9 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Components
[13.8 kB]
Get:10 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 c-n-f
Metadata [3768 B]
Get:11 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64
Packages [472 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe
Translation-en [62.9 kB]
Get:13 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64
Components [46.7 kB]
Get:14 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 c-n-f
Metadata [10.7 kB]
Get:15 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
[668 kB]
Get:16 http://archive.ubuntu.com/ubuntu noble/universe Translation-en [5982 kB]
Get:17 http://archive.ubuntu.com/ubuntu noble/universe amd64 Components [3871
kB]
Get:18 http://archive.ubuntu.com/ubuntu noble/universe amd64 c-n-f Metadata
[301 kB]
Get:19 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 Packages [269
kB]
Get:20 http://archive.ubuntu.com/ubuntu noble/multiverse Translation-en [118
kB]
Get:21 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 Components [35.0
kB]
Get:22 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 c-n-f Metadata
[8328 B]
Get:23 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [916
kB]
Get:24 http://archive.ubuntu.com/ubuntu noble-updates/main Translation-en [206
kB]
Get:25 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Components
[151 kB]
Get:26 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages
[1036 kB]
Get:27 http://archive.ubuntu.com/ubuntu noble-updates/universe Translation-en
[260 kB]
Get:28 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Components
[364 kB]
Get:29 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 c-n-f
Metadata [19.9 kB]
Get:30 http://archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Packages
[753 kB]
Get:31 http://archive.ubuntu.com/ubuntu noble-updates/restricted Translation-en
[150 kB]
Get:32 http://security.ubuntu.com/ubuntu noble-security/main Translation-en
[128 kB]
Get:33 http://archive.ubuntu.com/ubuntu noble-updates/restricted amd64
Components [212 B]
Get:34 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Packages
[30.1 kB]
Get:35 http://archive.ubuntu.com/ubuntu noble-updates/multiverse Translation-en
[5884 B]
Get:36 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64
Components [940 B]
Get:37 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 c-n-f
Metadata [552 B]
Get:38 http://archive.ubuntu.com/ubuntu noble-backports/main amd64 Components
[208 B]
Get:39 http://security.ubuntu.com/ubuntu noble-security/main amd64 Components
[9004 B]
Get:40 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages
[822 kB]
Get:41 http://archive.ubuntu.com/ubuntu noble-backports/main amd64 c-n-f
Metadata [112 B]
Get:42 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 Packages
[14.2 kB]
Get:43 http://archive.ubuntu.com/ubuntu noble-backports/universe Translation-en
[12.1 kB]
Get:44 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64
Components [19.9 kB]
Get:45 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 c-n-f
Metadata [1104 B]
Get:46 http://archive.ubuntu.com/ubuntu noble-backports/restricted amd64
Components [212 B]
Get:47 http://archive.ubuntu.com/ubuntu noble-backports/restricted amd64 c-n-f
Metadata [116 B]
Get:48 http://archive.ubuntu.com/ubuntu noble-backports/multiverse amd64
Components [212 B]
Get:49 http://archive.ubuntu.com/ubuntu noble-backports/multiverse amd64 c-n-f
Metadata [116 B]
Get:50 http://security.ubuntu.com/ubuntu noble-security/universe Translation-en
[177 kB]
Get:51 http://security.ubuntu.com/ubuntu noble-security/universe amd64
Components [51.9 kB]
Get:52 http://security.ubuntu.com/ubuntu noble-security/universe amd64 c-n-f
Metadata [13.5 kB]
Get:53 http://security.ubuntu.com/ubuntu noble-security/restricted amd64
Packages [719 kB]
Get:54 http://security.ubuntu.com/ubuntu noble-security/restricted
Translation-en [143 kB]
Get:55 http://security.ubuntu.com/ubuntu noble-security/restricted amd64
Components [212 B]
Get:56 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64
Packages [26.2 kB]
Get:57 http://security.ubuntu.com/ubuntu noble-security/multiverse
Translation-en [4892 B]
Get:58 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64
Components [208 B]
Get:59 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 c-n-f
Metadata [356 B]
Fetched 33.8 MB in 5s (7207 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
openssh-client openssh-sftp-server
Suggested packages:
keychain libpam-ssh monkeysphere ssh-askpass molly-guard
The following packages will be upgraded:
openssh-client openssh-server openssh-sftp-server
3 upgraded, 0 newly installed, 0 to remove and 33 not upgraded.
Need to get 1452 kB of archives.
After this operation, 7168 B disk space will be freed.
Get:1 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64
openssh-sftp-server amd64 1:9.6p1-3ubuntu13.9 [37.3 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64
openssh-server amd64 1:9.6p1-3ubuntu13.9 [509 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64
openssh-client amd64 1:9.6p1-3ubuntu13.9 [905 kB]
Fetched 1452 kB in 0s (6137 kB/s)
Preconfiguring packages ...
(Reading database ... 37213 files and directories currently installed.)
Preparing to unpack .../openssh-sftp-server_1%3a9.6p1-3ubuntu13.9_amd64.deb ...
Unpacking openssh-sftp-server (1:9.6p1-3ubuntu13.9) over (1:9.6p1-3ubuntu13.8)
...
Preparing to unpack .../openssh-server_1%3a9.6p1-3ubuntu13.9_amd64.deb ...
Unpacking openssh-server (1:9.6p1-3ubuntu13.9) over (1:9.6p1-3ubuntu13.8) ...
Preparing to unpack .../openssh-client_1%3a9.6p1-3ubuntu13.9_amd64.deb ...
Unpacking openssh-client (1:9.6p1-3ubuntu13.9) over (1:9.6p1-3ubuntu13.8) ...
Setting up openssh-client (1:9.6p1-3ubuntu13.9) ...
Setting up openssh-sftp-server (1:9.6p1-3ubuntu13.9) ...
Setting up openssh-server (1:9.6p1-3ubuntu13.9) ...
'Match LocalPort' in configuration but 'lport' not in connection test
specification.
Processing triggers for man-db (2.12.0-4build2) ...
Processing triggers for ufw (0.36.2-6) ...
Scanning processes...
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this
host.
Finally, I ran the test again to confirm the fix:
root@noble:~# /lib/systemd/system-generators/sshd-socket-generator .
root@noble:~# cat ssh.socket.d/addresses.conf
# Automatically generated by sshd-socket-generator
[Socket]
ListenStream=
ListenStream=1234
root@noble:~# apt policy openssh-server
openssh-server:
Installed: 1:9.6p1-3ubuntu13.9
Candidate: 1:9.6p1-3ubuntu13.9
Version table:
*** 1:9.6p1-3ubuntu13.9 100
100 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64
Packages
100 /var/lib/dpkg/status
1:9.6p1-3ubuntu13.8 500
500 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
1:9.6p1-3ubuntu13 500
500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2076023
Title:
Failed to apply 'Match' directive in sshd_config with sshd-socket-
generator
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Noble:
Fix Committed
Status in openssh source package in Oracular:
Fix Released
Bug description:
[Impact]
When users have a Match section in their sshd config, their
configuration cannot be parsed by the sshd-socket-generator (because
there is no connection, hence no connection spec to be matched), and
the generator fails. This means no custom config is applied at all.
[Test Plan]
1. On a noble system with sshd installed, create a drop-in config with
a Match directive, and run the generator locally:
$ cat > /etc/ssh/sshd_config.d/custom.conf << EOF
Port 1234
Match LocalPort 22
PasswordAuthentication no
EOF
$ /lib/systemd/system-generators/sshd-socket-generator .
'Match LocalPort' in configuration but 'lport' not in connection test
specification.
On an affected system, the above error will be shown. On a patched
system, the generator will succeed, and ./ssh.socket.d/addresses.conf
will reflect the Port 1234 option.
2. A new subtest was added to debian/tests/sshd-socket-generator,
test_match_port. It does the same as the above, and should pass in
autopkgtest.
[Where problems could occur]
This patch simply removes the code from sshd-socket-generator that
tries to parse the match config. If problems did occur, it would be
related to the generator again. Specifically, it would likely be
related to missing/unparsed options.
[Original Description]
When using the Match statement in sshd_config or sshd_config.d/*.conf
with socket activation(not classic method), sshd does not start as
expected.
Environment:
Ubuntu: Ubuntu 24.04 LTS
OpenSSH Server: 1:9.6p1-3ubuntu13.4
Steps to Reproduce:
/etc/ssh/sshd_config
```
Include /etc/ssh/sshd_config.d/*.conf
Port 22
Port 22222
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Match LocalPort 22222
PasswordAuthentication no
PubkeyAuthentication yes
```
command:
sudo systemctl daemon-reload && sudo systemctl restart ssh.socket
Expected Behavior:
sshd should listen on both ports 22 and 22222.
When connecting via port 22222, password login should not be allowed and only
public key authentication should be permitted.
Actual Behavior:
sshd only listens on port 22 and not on port 22222. The configuration
is not correctly applied.
After daemon-reload, the output from journalctl is as follows:
$ sudo journalctl -t (sd-exec-
Aug 04 12:47:36 ults (sd-exec-[479259]:
/usr/lib/systemd/system-generators/sshd-socket-generator failed with exit
status 255.
Additional Information:
1.Using sshd -T -C to test the configuration produces the following result:
$ sudo sshd -T -C lport=22 | grep passwordauthentication
passwordauthentication yes
$ sudo sshd -T -C lport=22222 | grep passwordauthentication
passwordauthentication no
2.The output when manually running
/usr/lib/systemd/system-generators/sshd-socket-generator is:
$ sudo /usr/lib/systemd/system-generators/sshd-socket-generator ./
'Match LocalPort' in configuration but 'lport' not in connection test
specification.
3.I have test some cases, if sshd-socket-generator can not handle
config rightly, sshd seems to run with default config.
And I also noticed that there is no test case about the Match
directive in
https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/tests/sshd-
socket-generator.
I guess the root cause of the issue lies in the sshd-socket-generator
not correctly handling the Match directive.
And a detailed assessment of potential security issues which caused by
this bug is needed.
If socket activation is to be widely adopted, this issue will
undoubtedly be a significant stumbling block.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2076023/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
