[Bug 1913810] [NEW] restart doesn't test for syntax errors

Andreas Hasenack Fri, 29 Jan 2021 13:00:58 -0800

Public bug reported:

Tested openssh on bionic and groovy, same issue.


The switch to systemd lost the ability to do a sanity check on the
config file (via sshd -t) before attempting to restart sshd. This was
originally bug #624361 in the SySV days, fixed in the initscript back
then.

The sysv script still does it, but it's not used anymore:
 restart)
        check_privsep_dir
        check_config
        log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true


And:
check_config() {
    if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
        /usr/sbin/sshd $SSHD_OPTS -t || exit 1
    fi
}


The systemd service file has only ExecStartPre, which doesn't let it start if 
there is an error, but will happily stop it:
[Unit]
Description=OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
...

Example:
# sshd -t                                                                       
# systemctl restart sshd                                                        
# telnet localhost 22                                                           
Trying 127.0.0.1...                                                             
Connected to localhost.                                                         
Escape character is '^]'.                                                       
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3                                         
^]                                                                              
telnet> quit                                                                    
Connection closed.                                                              
                                                                                
# echo "syntax error" >> /etc/ssh/sshd_config                                   
# sshd -t                                                                       
/etc/ssh/sshd_config: line 123: Bad configuration option: syntax                
/etc/ssh/sshd_config: terminating, 1 bad configuration options                  
                                                                                
# systemctl restart sshd                                                        
Job for ssh.service failed because the control process exited with error code.  
See "systemctl status ssh.service" and "journalctl -xe" for details.            
                                                                                
# telnet localhost 22                                                           
Trying 127.0.0.1...                                                             
telnet: Unable to connect to remote host: Connection refused                    
#

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1913810

Title:
  restart doesn't test for syntax errors

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1913810/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1913810] [NEW] restart doesn't test for syntax errors

Reply via email to