[Bug 1861909] Re: Please ship ec2-instance-connect.conf instead of creating it in postinst
Balint Reczey
balint.reczey at canonical.com
Tue Feb 4 20:37:11 UTC 2020
** Description changed:
- TODO finish
-
[Impact]
- * The systemd drop-in is placed and removed in maintainer scripts based
- on the current system configuration.
+ * The ssh.service drop-in is placed and removed in maintainer scripts
+ based on the current ssh configuration checks which are incomplete. The
+ drop-in is also not owned by the package.
[Test Case]
- * detailed instructions how to reproduce the bug
+ * Install the fixed package. The drop-in should be listed among the package's files:
+ $ dpkg -L ec2-instance-connect
+ ...
+ /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf
+ ...
- * these should allow someone who is not familiar with the affected
- package to reproduce the bug and verify that the updated package fixes
- the problem.
+ * Upgrade package from previous version. The drop-in should replace the
+ old one.
+
+ * Change /etc/ssh/sshd_config to set AuthorizedKeysCommand
+ Install the fixed package. A warning should appear and sshd should not be restarted by the package's maintainer scripts.
[Regression Potential]
- * discussion of how regressions are most likely to manifest as a result
- of this change.
-
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
-
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
+ * The change is made to make installation and upgrades more reliable. The test cases check package installs and upgrades where regressions could happen due to implementation mistakes.
+ * The unfixed version of the package did not place the drop-in when it detected setting AuthorizedKeysCommand in sshd_conf, while the fixed version installs the drop-in, just does not restart the ssh service. This can block users from logging in via ssh if only the sshd_conf's AuthorizedKeysCommand configuration enabled their login and the ssh service got restarted after installing/upgrading ec2-instance-connect.
+ This is a known change in behavior and is mitigated by showing a warning when this potentially problematic configuration is detected. It is also worth noting that in case the drop-in overrides the configuration in sshd_conf it is still possible to log in via EC2 Instance Connect, the login method the package enables.
[Other Info]
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ec2-instance-connect in Ubuntu.
https://bugs.launchpad.net/bugs/1861909
Title:
Please ship ec2-instance-connect.conf instead of creating it in
postinst
Status in ec2-instance-connect package in Ubuntu:
New
Bug description:
[Impact]
* The ssh.service drop-in is placed and removed in maintainer scripts
based on the current ssh configuration checks which are incomplete.
The drop-in is also not owned by the package.
[Test Case]
* Install the fixed package. The drop-in should be listed among the package's files:
$ dpkg -L ec2-instance-connect
...
/lib/systemd/system/ssh.service.d/ec2-instance-connect.conf
...
* Upgrade package from previous version. The drop-in should replace
the old one.
* Change /etc/ssh/sshd_config to set AuthorizedKeysCommand
Install the fixed package. A warning should appear and sshd should not be restarted by the package's maintainer scripts.
[Regression Potential]
* The change is made to make installation and upgrades more reliable. The test cases check package installs and upgrades where regressions could happen due to implementation mistakes.
* The unfixed version of the package did not place the drop-in when it detected setting AuthorizedKeysCommand in sshd_conf, while the fixed version installs the drop-in, just does not restart the ssh service. This can block users from logging in via ssh if only the sshd_conf's AuthorizedKeysCommand configuration enabled their login and the ssh service got restarted after installing/upgrading ec2-instance-connect.
This is a known change in behavior and is mitigated by showing a warning when this potentially problematic configuration is detected. It is also worth noting that in case the drop-in overrides the configuration in sshd_conf it is still possible to log in via EC2 Instance Connect, the login method the package enables.
[Other Info]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1861909/+subscriptions
More information about the foundations-bugs
mailing list