This hit me this weekend, courtesy of the Debian 12.1 to 12.2 point upgrade.
That upgraded openssh-server from 1:9.2p1-2 to 1:9.2p1-2+deb12u1.

I had made some changes to /etc/ssh/sshd_config in March 2018 (Debian 9.4), one 
of which moved the default port to 2222.  This was to make port 22 available 
for use by a Docker-based GitLab instance.

I have been following point upgrades since then through 9.13, jumped to 10.6, 
point upgrades through 10.11, jumped to 11.2, point upgrades through 11.7.  All 
without making any manual changes to sshd_config.

I integrated upstream sshd_config changes when I manually upgraded the host to 
Debian 12.1 (from 11.7) in August 2023.  At that time I did not move my 
customizations to use the new /etc/ssh/sshd_config.d/* support.

The point upgrade was performed by unattended-upgrades on 2023-10-08 and the 
machine was automatically rebooted on 2023-10-09.  The SSH daemon was started 
first, preventing the GitLab instance from starting.  Seeing that, I tried to 
login remotely via port 2222 and got a connection refused.  Yikes!

Fortunately, the logcheck reports in my mailbox pointed out the GitLab could 
not bind to port 22, giving me a clue that I could probably SSH in on that 
port.  Fortunately that worked and I was able to get things back to working 
order via that remote login.

I have not been able to find any notice of this in the Debian 12 release notes 
or the /usr/share/doc/openssh-server/{NEWS,README}.Debian.gz files and was 
therefore very unpleasantly surprised by this behavior.

FWIW, my /var/cache/debconf/config.dat contains

  Name: openssh-server/password-authentication
  Template: openssh-server/password-authentication
  Value: false
  Owners: openssh-server
  Name: openssh-server/permit-root-login
  Template: openssh-server/permit-root-login
  Value: true
  Owners: openssh-server

but I manually edited sshd_config to use

  PermitRootLogin no

as well as 

  Port 22

Cross-checking with /var/cache/debconf/templates.dat, it appears I used 
dpkg-reconfigure to change password-authentication to end up with

  PasswordAuthentication no

in my sshd_config.

The openssh-server.postinst appears to be responsible for "clobbering" my 
customizations (via ucf) but I don't see any differences to that file between 
the old and new versions, making me wonder why this hasn't hit me before.

I'll be syncing the openssh-server debconf answers with what I have in my 
sshd_config and move out any other customizations to /etc/ssh/sshd_config.d/* 
snippets but thought this might be of use to others.

Reply via email to