[Bug 2076023] Re: Failed to apply 'Match' directive in sshd_config with sshd-socket-generator

Nick Rosbrook 2076023 at bugs.launchpad.net
Wed Oct 23 15:42:02 UTC 2024 

I have verified this fix using openssh-server 1:9.6p1-3ubuntu13.6 from
noble-proposed.

I created a container and enabled noble-proposed:

nr at six:~$ lxc launch ubuntu:noble noble
Launching noble
nr at six:~$ lxc exec noble bash                        
root at noble:~# cat > /etc/apt/sources.list.d/proposed.sources << EOF
Types: deb
URIs: http://us.archive.ubuntu.com/ubuntu/
Suites: noble-proposed
Components: main universe
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
EOF
root at noble:~# apt update
Get:1 http://us.archive.ubuntu.com/ubuntu noble-proposed InRelease [265 kB]
Hit:2 http://security.ubuntu.com/ubuntu noble-security InRelease             
Get:3 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages [180 kB]
Hit:4 http://archive.ubuntu.com/ubuntu noble InRelease
Get:5 http://us.archive.ubuntu.com/ubuntu noble-proposed/main Translation-en [48.6 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Components [22.0 kB]
Get:7 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 c-n-f Metadata [3556 B]
Get:8 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Packages [650 kB]
Hit:9 http://archive.ubuntu.com/ubuntu noble-updates InRelease                      
Hit:10 http://archive.ubuntu.com/ubuntu noble-backports InRelease                     
Get:11 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe Translation-en [79.1 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Components [68.0 kB]
Get:13 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 c-n-f Metadata [10.7 kB]
Fetched 1326 kB in 1s (1190 kB/s)                                 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
16 packages can be upgraded. Run 'apt list --upgradable' to see them.

Then I created the drop-in and confirmed the CURRENT version fails:

root at noble:~#  cat > /etc/ssh/sshd_config.d/custom.conf << EOF
Port 1234
Match LocalPort 22
    PasswordAuthentication no
EOF
root at noble:~# /lib/systemd/system-generators/sshd-socket-generator .
'Match LocalPort' in configuration but 'lport' not in connection test specification.

Then I installed the new openssh-server, and confirmed the issue went
away:

root at noble:~# apt install -t noble-proposed openssh-server -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  openssh-client openssh-sftp-server
Suggested packages:
  keychain libpam-ssh monkeysphere ssh-askpass molly-guard
The following packages will be upgraded:
  openssh-client openssh-server openssh-sftp-server
3 upgraded, 0 newly installed, 0 to remove and 71 not upgraded.
Need to get 1451 kB of archives.
After this operation, 1024 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-sftp-server amd64 1:9.6p1-3ubuntu13.6 [37.3 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-server amd64 1:9.6p1-3ubuntu13.6 [509 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-client amd64 1:9.6p1-3ubuntu13.6 [905 kB]
Fetched 1451 kB in 0s (5318 kB/s)       
Preconfiguring packages ...
(Reading database ... 34495 files and directories currently installed.)
Preparing to unpack .../openssh-sftp-server_1%3a9.6p1-3ubuntu13.6_amd64.deb ...
Unpacking openssh-sftp-server (1:9.6p1-3ubuntu13.6) over (1:9.6p1-3ubuntu13.5) ...
Preparing to unpack .../openssh-server_1%3a9.6p1-3ubuntu13.6_amd64.deb ...
Unpacking openssh-server (1:9.6p1-3ubuntu13.6) over (1:9.6p1-3ubuntu13.5) ...
Preparing to unpack .../openssh-client_1%3a9.6p1-3ubuntu13.6_amd64.deb ...
Unpacking openssh-client (1:9.6p1-3ubuntu13.6) over (1:9.6p1-3ubuntu13.5) ...
Setting up openssh-client (1:9.6p1-3ubuntu13.6) ...
Setting up openssh-sftp-server (1:9.6p1-3ubuntu13.6) ...
Setting up openssh-server (1:9.6p1-3ubuntu13.6) ...
Replacing config file /etc/ssh/sshd_config with new version
'Match LocalPort' in configuration but 'lport' not in connection test specification.
Processing triggers for man-db (2.12.0-4build2) ...
Processing triggers for ufw (0.36.2-6) ...
Scanning processes...                                                                                                  

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
root at noble:~# /lib/systemd/system-generators/sshd-socket-generator .
root at noble:~# cat ssh.socket.d/addresses.conf 
# Automatically generated by sshd-socket-generator

[Socket]
ListenStream=
ListenStream=0.0.0.0:1234
ListenStream=[::]:1234

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2076023

Title:
  Failed to apply 'Match' directive in sshd_config with sshd-socket-
  generator

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Noble:
  Fix Committed
Status in openssh source package in Oracular:
  Fix Released

Bug description:
  [Impact]

  When users have a Match section in their sshd config, their
  configuration cannot be parsed by the sshd-socket-generator (because
  there is no connection, hence no connection spec to be matched), and
  the generator fails. This means no custom config is applied at all.

  [Test Plan]

  1. On a noble system with sshd installed, create a drop-in config with
  a Match directive, and run the generator locally:

  $ cat > /etc/ssh/sshd_config.d/custom.conf << EOF
  Port 1234
  Match LocalPort 22
      PasswordAuthentication no
  EOF
  $ /lib/systemd/system-generators/sshd-socket-generator .
  'Match LocalPort' in configuration but 'lport' not in connection test specification.

  On an affected system, the above error will be shown. On a patched
  system, the generator will succeed, and ./ssh.socket.d/addresses.conf
  will reflect the Port 1234 option.

  2. A new subtest was added to debian/tests/sshd-socket-generator,
  test_match_port. It does the same as the above, and should pass in
  autopkgtest.

  [Where problems could occur]

  This patch simply removes the code from sshd-socket-generator that
  tries to parse the match config. If problems did occur, it would be
  related to the generator again. Specifically, it would likely be
  related to missing/unparsed options.

  [Original Description]

  When using the Match statement in sshd_config or sshd_config.d/*.conf
  with socket activation(not classic method), sshd does not start as
  expected.

  Environment:

  Ubuntu: Ubuntu 24.04 LTS
  OpenSSH Server: 1:9.6p1-3ubuntu13.4

  Steps to Reproduce:

  /etc/ssh/sshd_config
  ```
  Include /etc/ssh/sshd_config.d/*.conf
  Port 22
  Port 22222
  KbdInteractiveAuthentication no
  UsePAM yes
  X11Forwarding yes
  PrintMotd no
  AcceptEnv LANG LC_*
  Subsystem	sftp	/usr/lib/openssh/sftp-server
  Match LocalPort 22222
      PasswordAuthentication no
      PubkeyAuthentication yes
  ```

  command:

  sudo systemctl daemon-reload && sudo systemctl restart ssh.socket

  Expected Behavior:

  sshd should listen on both ports 22 and 22222.
  When connecting via port 22222, password login should not be allowed and only public key authentication should be permitted.

  Actual Behavior:

  sshd only listens on port 22 and not on port 22222. The configuration
  is not correctly applied.

  After daemon-reload, the output from journalctl is as follows:

  $ sudo journalctl -t (sd-exec-
  Aug 04 12:47:36 ults (sd-exec-[479259]: /usr/lib/systemd/system-generators/sshd-socket-generator failed with exit status 255.

  Additional Information:

  1.Using sshd -T -C to test the configuration produces the following result:
  $ sudo sshd -T -C lport=22 | grep passwordauthentication
  passwordauthentication yes

  $ sudo sshd -T -C lport=22222 | grep passwordauthentication
  passwordauthentication no

  2.The output when manually running /usr/lib/systemd/system-generators/sshd-socket-generator is:
  $ sudo /usr/lib/systemd/system-generators/sshd-socket-generator ./
  'Match LocalPort' in configuration but 'lport' not in connection test specification.

  3.I have test some cases, if sshd-socket-generator can not handle
  config rightly, sshd seems to run with default config.

  And I also noticed that there is no test case about the Match
  directive in
  https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/tests/sshd-
  socket-generator.

  I guess the root cause of the issue lies in the sshd-socket-generator
  not correctly handling the Match directive.

  And a detailed assessment of potential security issues which caused by
  this bug is needed.

  If socket activation is to be widely adopted, this issue will
  undoubtedly be a significant stumbling block.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2076023/+subscriptions

More information about the foundations-bugs mailing list