Your message dated Sat, 18 Nov 2017 21:32:08 +0000 with message-id <[email protected]> and subject line Bug#865770: fixed in openssh 1:7.4p1-10+deb9u2 has caused the Debian Bug report #865770, regarding openssh-server fails to validate configuration before reloading, under systemd to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 865770: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865770 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: openssh-server Version: 1:6.7p1-5+deb8u3 Severity: important Tags: patch jessie stretch sid Dear maintainers, The systemd units shipped as part of jessie, stretch and sid do not validate the sshd_config file before proceeding with reloading or restarting the deamon. (Note that reloading when the file contains invalid config makes sshd exit.) As far as I can tell, the old initscripts have the correct behaviour, so this is a systemd-specific regression. Please find included a patch that makes `systemctl reload ssh` fail properly when the configuration is invalid. Unfortunately, systemd does not support validating configuration before restarting a service, though an issue has been open for over 1.5 years: https://github.com/systemd/systemd/issues/2175 Given the severity of the issue (indeed, this can easily result in accidental loss of administrative access, making the error quite difficult to fix), please consider shipping the patch in the next point-release. This was one of the causes of an outage at hashbang.sh, resulting in loss of SSH access for all users and administrators. Regards, kf -- System Information: Debian Release: 8.8 APT prefers oldstable APT policy: (900, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-0.bpo.3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssh-server depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.56 ii dpkg 1.17.27 ii init-system-helpers 1.22 ii libc6 2.19-18+deb8u10 ii libcomerr2 1.42.12-2+b1 ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2 ii libkrb5-3 1.12.1+dfsg-19+deb8u2 ii libpam-modules 1.1.8-3.1+deb8u2 ii libpam-runtime 1.1.8-3.1+deb8u2 ii libpam0g 1.1.8-3.1+deb8u2 ii libselinux1 2.3-2 ii libssl1.0.0 1.0.1t-1+deb8u6 ii libwrap0 7.6.q-25 ii lsb-base 4.1+Debian13+nmu1 ii openssh-client 1:6.7p1-5+deb8u3 ii openssh-sftp-server 1:6.7p1-5+deb8u3 ii procps 2:3.3.9-9 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages openssh-server recommends: ii ncurses-term 6.0+20160625-1 ii xauth 1:1.0.9-1 Versions of packages openssh-server suggests: pn molly-guard <none> pn monkeysphere <none> pn rssh <none> pn ssh-askpass <none> pn ufw <none> -- Configuration Files: /etc/pam.d/sshd changed: @include common-auth @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_keyinit.so force revoke @include common-session session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate session optional pam_mail.so dir=~/Mail standard noenv # [1] session required pam_limits.so session required pam_env.so # [1] session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password -- debconf information excludeddiff --git i/debian/systemd/ssh.service w/debian/systemd/ssh.service index 3df8c64..7351931 100644 --- i/debian/systemd/ssh.service +++ w/debian/systemd/ssh.service @@ -6,7 +6,7 @@ ConditionPathExists=!/etc/ssh/sshd_not_to_be_run [Service] EnvironmentFile=-/etc/default/ssh ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -ExecReload=/bin/kill -HUP $MAINPID +ExecReload=/bin/sh -c '/usr/sbin/sshd -t && /bin/kill -HUP $MAINPID' KillMode=process Restart=on-failure RestartPreventExitStatus=255
--- End Message ---
--- Begin Message ---Source: openssh Source-Version: 1:7.4p1-10+deb9u2 We believe that the bug you reported is fixed in the latest version of openssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <[email protected]> (supplier of updated openssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 18 Nov 2017 09:37:22 +0000 Source: openssh Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb Architecture: source Version: 1:7.4p1-10+deb9u2 Distribution: stretch Urgency: medium Maintainer: Debian OpenSSH Maintainers <[email protected]> Changed-By: Colin Watson <[email protected]> Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot ssh - secure shell client and server (metapackage) ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad ssh-krb5 - secure shell client and server (transitional package) Closes: 865770 873201 877800 Changes: openssh (1:7.4p1-10+deb9u2) stretch; urgency=medium . * Test configuration before starting or reloading sshd under systemd (closes: #865770). * Adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme (closes: #877800). * Make "--" before the hostname terminate argument processing after the hostname too (closes: #873201). Checksums-Sha1: 46c6f918c4327b76bccf708cb17f078eefa24494 2924 openssh_7.4p1-10+deb9u2.dsc 6daedbfc85b992a406642ceed5d28ba03d8946c8 162256 openssh_7.4p1-10+deb9u2.debian.tar.xz a17e64964ba0d7882ae4238869ce8ea601736ca7 14817 openssh_7.4p1-10+deb9u2_source.buildinfo Checksums-Sha256: 450e7daae7dd4e354e80c1d2ea9228e744950ffebce51d0d75fe937be7f54301 2924 openssh_7.4p1-10+deb9u2.dsc 023c2277db76405b85262e05255cd9782b5634dbd861e4ea455872a6da195abe 162256 openssh_7.4p1-10+deb9u2.debian.tar.xz b328e90f47bd122b83fb21bb98ec369db4394de02008ad9349da3e0b1b85d613 14817 openssh_7.4p1-10+deb9u2_source.buildinfo Files: f9a6ea5b78288b85aaeb88973e14a642 2924 net standard openssh_7.4p1-10+deb9u2.dsc deab53428f04ccc029e69ccdb8e3e208 162256 net standard openssh_7.4p1-10+deb9u2.debian.tar.xz 94443afcdfd7369ec9bb8e49584963ae 14817 net standard openssh_7.4p1-10+deb9u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAloP/80ACgkQOTWH2X2G UAs6zA/+Nk5oU8m40tIwQqV0aqc3KUbz1tcU3AUvUeLLS0MuMBwnsbPYMeWscUIo nlPQo6cmt68G90t5owij2FuLDMwR0Osvv7ZaFouyF3HVEkRlRrSBRv1erkY/g8D1 J4p9VHZozsGcDXSbliqcU9Py7Q4ARISNs8/JOTEyoseUGQWONZvYZhLsVMnaRI0d GO5/CJ+EBm8CdI1ewjqb+ZXnzkXNFWB02+2Q7tvY5BcjASfnzOhZgnX6dZ/tID+C KsNGRdVBLGAIupVMrHWRi56ywATZa2BSX1KdLI03GmbJ4TZXXX76NK4jk0SIxamB wZt2bb4SROlj5rWb4ZvjfnNsUPOWsoJeneh8aUYclVmHJi/pTR1OPJIo1FCU2LPM 54sXTD9Xw9mfGtkiAwjdY8zKqt0ciDqS7RaQWnzVFT/Zd/O/CFcP7Fb+N6V9DbBx bRs9i2GmYQm2ab6umwKPk2/t0OBPt4INANoCsfHTWiRLvZb2DwGTAMPq3MXtDbzk 3yrDsCpwk/13T9PX+uP714NuttTccdI7WhF6G9/dVnV3Y22TkU+VFXkawceZLqI1 /fIGGQsASe/R0cuWxjlQFi4u+kiq0M9uqbmwYM9il8Fg7dX/CIen898JNOmdaG28 ErKAOWMt1NgX9yRbXBi8Ftp6KSPsZXOF9+fju99zYTUTlE4pzu8= =Y5rU -----END PGP SIGNATURE-----
--- End Message ---
