[Touch-packages] [Bug 2059874] Re: on upgrade sshd-socket-generator conversion does not respect administrator intent
This bug was fixed in the package openssh - 1:9.6p1-3ubuntu13 --- openssh (1:9.6p1-3ubuntu13) noble; urgency=medium [ Marco Trevisan (TreviƱo) ] * debian: Remove dependency on libsystemd As per the xz backdoor we learned that the least dependencies sshd have, the best it is, so avoid to plug libsystemd (which also brings various other dependencies) inside sshd for no reason: - d/p/systemd-readiness.patch: Use upstream patch with no libsystemd dependency - d/p/systemd-socket-activation.patch: Import patch from debian that mimics the libsystemd sd_listen_fds() code, as refactored by Colin Watson. - d/control: Remove dependencies on libsystemd-dev | libelogind-dev - d/rules: Drop --with-systemd flag (new options are used by default) [ Nick Rosbrook ] * debian/patches: only set PAM_RHOST if remote host is not "UNKNOWN" (LP: #2060150) * debian/openssh-server.postinst: don't re-enable ssh.socket if it was disabled (LP: #2059874) * d/p/sshd-socket-generator.patch: do not always ignore ListenStream=22 (LP: #2059872) -- Nick Rosbrook Fri, 05 Apr 2024 15:30:31 -0400 ** Changed in: openssh (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2059874 Title: on upgrade sshd-socket-generator conversion does not respect administrator intent Status in openssh package in Ubuntu: Fix Released Bug description: the openssh-server 1:9.6p1-3ubuntu11 postinst contains this code snippet: if [ "$action" == configure ]; then ..snip.. if dpkg --compare-versions "$2" lt-nl 1:9.6p1-3ubuntu3~; then ..snip.. if [ -d /run/systemd/system ]; then # Make sure ssh.service is disabled. systemctl unmask ssh.service systemctl disable --now ssh.service > /dev/null 2>&1 # sshd-socket-generator is invoked on daemon-reload. systemctl daemon-reload systemctl enable ssh.socket fi fi fi This does not respect existing service and socket unit configuration, it effectively re-enables a disabled ssh.service (and even a masked one), and a manually disabled socket unit. I strongly suspect it does not respect systemd presets either. This is unexpected behaviour. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2059874/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2059874] Re: on upgrade sshd-socket-generator conversion does not respect administrator intent
** Changed in: openssh (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2059874 Title: on upgrade sshd-socket-generator conversion does not respect administrator intent Status in openssh package in Ubuntu: Fix Committed Bug description: the openssh-server 1:9.6p1-3ubuntu11 postinst contains this code snippet: if [ "$action" == configure ]; then ..snip.. if dpkg --compare-versions "$2" lt-nl 1:9.6p1-3ubuntu3~; then ..snip.. if [ -d /run/systemd/system ]; then # Make sure ssh.service is disabled. systemctl unmask ssh.service systemctl disable --now ssh.service > /dev/null 2>&1 # sshd-socket-generator is invoked on daemon-reload. systemctl daemon-reload systemctl enable ssh.socket fi fi fi This does not respect existing service and socket unit configuration, it effectively re-enables a disabled ssh.service (and even a masked one), and a manually disabled socket unit. I strongly suspect it does not respect systemd presets either. This is unexpected behaviour. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2059874/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2059874] Re: on upgrade sshd-socket-generator conversion does not respect administrator intent
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2059874 Title: on upgrade sshd-socket-generator conversion does not respect administrator intent Status in openssh package in Ubuntu: Confirmed Bug description: the openssh-server 1:9.6p1-3ubuntu11 postinst contains this code snippet: if [ "$action" == configure ]; then ..snip.. if dpkg --compare-versions "$2" lt-nl 1:9.6p1-3ubuntu3~; then ..snip.. if [ -d /run/systemd/system ]; then # Make sure ssh.service is disabled. systemctl unmask ssh.service systemctl disable --now ssh.service > /dev/null 2>&1 # sshd-socket-generator is invoked on daemon-reload. systemctl daemon-reload systemctl enable ssh.socket fi fi fi This does not respect existing service and socket unit configuration, it effectively re-enables a disabled ssh.service (and even a masked one), and a manually disabled socket unit. I strongly suspect it does not respect systemd presets either. This is unexpected behaviour. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2059874/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2059874] Re: on upgrade sshd-socket-generator conversion does not respect administrator intent
> For me the biggest problem was the socket unit beeing re-enabled when I had it disabled it but still running sshd.service (ie without socket activation) - now you're unexpectidly switched back to using socket activation - something I explicitly opted out of. Okay. We could probably adjust the check to ignore migration if the user is upgrading from kinetic or newer and has ssh.socket disabled. > I could also see this causing problems if you have the socket unit masked (dont see why you would want that however) but the the service is enabled, now you are without sshd. Actually I think the postinst would also fail in that case, as systemctl enable fails enabling masked units. This is a good point as well. ** Changed in: openssh (Ubuntu) Status: Incomplete => Confirmed ** Changed in: openssh (Ubuntu) Importance: Low => Medium ** Changed in: openssh (Ubuntu) Assignee: (unassigned) => Nick Rosbrook (enr0n) ** Tags added: foundations-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2059874 Title: on upgrade sshd-socket-generator conversion does not respect administrator intent Status in openssh package in Ubuntu: Confirmed Bug description: the openssh-server 1:9.6p1-3ubuntu11 postinst contains this code snippet: if [ "$action" == configure ]; then ..snip.. if dpkg --compare-versions "$2" lt-nl 1:9.6p1-3ubuntu3~; then ..snip.. if [ -d /run/systemd/system ]; then # Make sure ssh.service is disabled. systemctl unmask ssh.service systemctl disable --now ssh.service > /dev/null 2>&1 # sshd-socket-generator is invoked on daemon-reload. systemctl daemon-reload systemctl enable ssh.socket fi fi fi This does not respect existing service and socket unit configuration, it effectively re-enables a disabled ssh.service (and even a masked one), and a manually disabled socket unit. I strongly suspect it does not respect systemd presets either. This is unexpected behaviour. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2059874/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2059874] Re: on upgrade sshd-socket-generator conversion does not respect administrator intent
I'm not that invested in the having openssh-server installed but not running use-case, but in general people do not like their local configuration beeing overridden on package upgrades in this manner. I could image people having it installed for the man-pages, or maybe using other units for it (per VRF instances or something), having the main service and socket units disabled, but I doubt that happens that much in practice. For me the biggest problem was the socket unit beeing re-enabled when I had it disabled it but still running sshd.service (ie without socket activation) - now you're unexpectidly switched back to using socket activation - something I explicitly opted out of. I could also see this causing problems if you have the socket unit masked (dont see why you would want that however) but the the service is enabled, now you are without sshd. Actually I think the postinst would also fail in that case, as systemctl enable fails enabling masked units. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2059874 Title: on upgrade sshd-socket-generator conversion does not respect administrator intent Status in openssh package in Ubuntu: Incomplete Bug description: the openssh-server 1:9.6p1-3ubuntu11 postinst contains this code snippet: if [ "$action" == configure ]; then ..snip.. if dpkg --compare-versions "$2" lt-nl 1:9.6p1-3ubuntu3~; then ..snip.. if [ -d /run/systemd/system ]; then # Make sure ssh.service is disabled. systemctl unmask ssh.service systemctl disable --now ssh.service > /dev/null 2>&1 # sshd-socket-generator is invoked on daemon-reload. systemctl daemon-reload systemctl enable ssh.socket fi fi fi This does not respect existing service and socket unit configuration, it effectively re-enables a disabled ssh.service (and even a masked one), and a manually disabled socket unit. I strongly suspect it does not respect systemd presets either. This is unexpected behaviour. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2059874/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2059874] Re: on upgrade sshd-socket-generator conversion does not respect administrator intent
Is there a strong use case for installing openssh-server, but then not wanting it to run as a daemon (i.e. disabling the necessary systemd units)? The purpose of this snippet is to migrate to socket activated sshd by default, which is the case for new installs of openssh-server. ** Changed in: openssh (Ubuntu) Status: New => Incomplete ** Changed in: openssh (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2059874 Title: on upgrade sshd-socket-generator conversion does not respect administrator intent Status in openssh package in Ubuntu: Incomplete Bug description: the openssh-server 1:9.6p1-3ubuntu11 postinst contains this code snippet: if [ "$action" == configure ]; then ..snip.. if dpkg --compare-versions "$2" lt-nl 1:9.6p1-3ubuntu3~; then ..snip.. if [ -d /run/systemd/system ]; then # Make sure ssh.service is disabled. systemctl unmask ssh.service systemctl disable --now ssh.service > /dev/null 2>&1 # sshd-socket-generator is invoked on daemon-reload. systemctl daemon-reload systemctl enable ssh.socket fi fi fi This does not respect existing service and socket unit configuration, it effectively re-enables a disabled ssh.service (and even a masked one), and a manually disabled socket unit. I strongly suspect it does not respect systemd presets either. This is unexpected behaviour. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2059874/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
