[Bug 2076023] Re: Failed to apply 'Match' directive in sshd_config with sshd-socket-generator

Nick Rosbrook 2076023 at bugs.launchpad.net
Wed Aug 28 17:49:08 UTC 2024 

I am planning an SRU for noble in the next couple weeks.

** Tags removed: foundations-todo

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2076023

Title:
  Failed to apply 'Match' directive in sshd_config with sshd-socket-
  generator

Status in openssh package in Ubuntu:
  Fix Committed
Status in openssh source package in Noble:
  Triaged
Status in openssh source package in Oracular:
  Fix Committed

Bug description:
  When using the Match statement in sshd_config or sshd_config.d/*.conf
  with socket activation(not classic method), sshd does not start as
  expected.

  Environment:

  Ubuntu: Ubuntu 24.04 LTS
  OpenSSH Server: 1:9.6p1-3ubuntu13.4


  Steps to Reproduce:

  /etc/ssh/sshd_config
  ```
  Include /etc/ssh/sshd_config.d/*.conf
  Port 22
  Port 22222
  KbdInteractiveAuthentication no
  UsePAM yes
  X11Forwarding yes
  PrintMotd no
  AcceptEnv LANG LC_*
  Subsystem	sftp	/usr/lib/openssh/sftp-server
  Match LocalPort 22222
      PasswordAuthentication no
      PubkeyAuthentication yes
  ```

  command:

  sudo systemctl daemon-reload && sudo systemctl restart ssh.socket


  Expected Behavior:

  sshd should listen on both ports 22 and 22222.
  When connecting via port 22222, password login should not be allowed and only public key authentication should be permitted.

  
  Actual Behavior:

  sshd only listens on port 22 and not on port 22222. The configuration
  is not correctly applied.

  After daemon-reload, the output from journalctl is as follows:

  $ sudo journalctl -t (sd-exec-
  Aug 04 12:47:36 ults (sd-exec-[479259]: /usr/lib/systemd/system-generators/sshd-socket-generator failed with exit status 255.


  Additional Information:

  1.Using sshd -T -C to test the configuration produces the following result:
  $ sudo sshd -T -C lport=22 | grep passwordauthentication
  passwordauthentication yes

  $ sudo sshd -T -C lport=22222 | grep passwordauthentication
  passwordauthentication no

  2.The output when manually running /usr/lib/systemd/system-generators/sshd-socket-generator is:
  $ sudo /usr/lib/systemd/system-generators/sshd-socket-generator ./
  'Match LocalPort' in configuration but 'lport' not in connection test specification.

  3.I have test some cases, if sshd-socket-generator can not handle
  config rightly, sshd seems to run with default config.

  
  And I also noticed that there is no test case about the Match directive in https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/tests/sshd-socket-generator. 

  I guess the root cause of the issue lies in the sshd-socket-generator
  not correctly handling the Match directive.

  And a detailed assessment of potential security issues which caused by
  this bug is needed.

  If socket activation is to be widely adopted, this issue will
  undoubtedly be a significant stumbling block.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2076023/+subscriptions

More information about the foundations-bugs mailing list