** Description changed: [Impact] - * Provisioning with the latest walinuxagent will break sshd_config, + * Provisioning with the latest walinuxagent will break sshd_config, barring sshd from starting. With ssh access often the only means of access for cloud instances, this is extremely disruptive. - * A backport of this fix is necessary to retain ssh access after re- + * A backport of this fix is necessary to retain ssh access after re- provisioning an instance hosted on Azure. - * The current waagent command assumes that sshd_config is terminated + * The current waagent command assumes that sshd_config is terminated with a newline when it appends a config option to the file. There is no newline and thus this new configuration option is appended to a current option rendering the config file invalid. The fix is to insert a newline prior to appending to the config file. [Test Case] Steps to reproduce - * Become familiar with the last line of sshd_config, `tail /etc/ssh/sshd_config` - It will contain "UsePAM yes" and have new newline at the of the file. - * Install walinuxagent with `apt-get install walinuxagent` - * Force re-provisioning by running `waagent -setup` - * Check the config file with `tail /etc/ssh/sshd_config`. It will now contain: - "UsePAM yesClientAliveInterval 180" - * Confirm that the SSH daemon will fail to start. Test by running `/usr/sbin/sshd`. Expected error output is: - "/etc/ssh/sshd_config line 88: Bad yes/no argument: yesClientAliveInterval" - At this point, rebooting the OS will result in loss of SSH access. + * Become familiar with the last line of sshd_config, `tail /etc/ssh/sshd_config` + It will contain "UsePAM yes" and have new newline at the of the file. + * Install walinuxagent with `apt-get install waagent` + * Force re-provisioning by running `waagent -setup` + * Check the config file with `tail /etc/ssh/sshd_config`. It will now contain: + "UsePAM yesClientAliveInterval 180" + * Confirm that the SSH daemon will fail to start. Test by running `/usr/sbin/sshd`. Expected error output is: + "/etc/ssh/sshd_config line 88: Bad yes/no argument: yesClientAliveInterval" + At this point, rebooting the OS will result in loss of SSH access. * Edit /etc/ssh/sshd_config to insert a carriage return after "UsePAM yes" and place "ClientAliveInterval 180" on its own line. - * Verify that ssh can start again `/usr/sbin/sshd` + * Verify that ssh can start again `/usr/sbin/sshd` [Regression Potential] - * Regression risk is extremely low, I can't think of a negative impact + * Regression risk is extremely low, I can't think of a negative impact of adding an extra newline to the end of the file before appending content. [Other Info] - - * Tested in 14.04 and 13.10, PPA builds can be found at ppa:~rcj/testing for thos packages. - * Repeated re-provisioning will add new newline characters, which will add whitespace prior to the new config option. This whitespace will grow by one line with each re-provisioning; but this is a rare operation. Given the code structure it was far safer to address this by unconditionally adding the newline rather than adding complexity to check that it was absolutely needed. + * Tested in 14.04 and 13.10, PPA builds can be found at ppa:~rcj/testing for thos packages. + * Repeated re-provisioning will add new newline characters, which will add whitespace prior to the new config option. This whitespace will grow by one line with each re-provisioning; but this is a rare operation. Given the code structure it was far safer to address this by unconditionally adding the newline rather than adding complexity to check that it was absolutely needed. [ Original Description Follows ] After installing the latest walinuxagent package on Ubuntu 13.10 I see that we end up with a broken configuration in /etc/ssh/sshd_config. The last line in that file looks like the following: UsePAM yesClientAliveInterval 180 This is the result of the agent package re-running "waagent -setup," which wants to append the "ClientAliveInterval 180" parameter to /etc/ssh/sshd_config to avoid timeouts with the Azure load balancer (which has a 4 minute timeout). But currently waagent assumes there is a "\n" at the end of this file. We could fix this bug in the agent to always add "\n" to the front of this parameter (maybe a good idea) or there may be another way to fix this.
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to walinuxagent in Ubuntu. https://bugs.launchpad.net/bugs/1305418 Title: walinuxagent breaks sshd configuration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/walinuxagent/+bug/1305418/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
