Debian Bug report logs - #1006171
Make internal-sftp the default

version graph

Package: openssh-server; Maintainer for openssh-server is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for openssh-server is src:openssh (PTS, buildd, popcon).

Reported by: MichaIng <micha@dietpi.com>

Date: Sun, 20 Feb 2022 13:51:02 UTC

Severity: normal

Found in version openssh/1:8.8p1-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#1006171; Package openssh-server. (Sun, 20 Feb 2022 13:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to MichaIng <micha@dietpi.com>:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Sun, 20 Feb 2022 13:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: MichaIng <micha@dietpi.com>
To: submit@bugs.debian.org
Subject: Make internal-sftp the default
Date: Sun, 20 Feb 2022 14:46:50 +0100
Package: openssh-server
Version: 1:8.8p1-1

Currently the standalone OpenSSH sftp-server is used as default SFTP 
subsystem, set via /etc/ssh/sshd_config. This implies a dependency on 
the openssh-sftp-server package and means that every SFTP connection 
spawns a new external process, while sshd ships with the internal-sftp 
in-process SFTP server, which perform better when dealing with many 
short duration connections and simplifies the ChrootDirectory usage to 
not require any manual /dev node setup.

Legacy SSH1 clients pass an exact SFTP command, hence will still depend 
on openssh-sftp-server or any alternative standalone SFTP server, also 
internal-sftp means that the login shell is skipped in the first place. 
But the need for both are edge cases, the use of SSH1 IMO worth to be 
actively discouraged, and the vast majority of OpenSSH SFTP server 
admins will benefit from this change, at least to not require a config 
change that is part of very most SFTP guides around the internet, 
reasonably.

Forgive me if this discussion was already done, but I couldn't find it 
within the Debian bug tracker at least.

Best regards,

Micha

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#1006171; Package openssh-server. (Sun, 20 Feb 2022 19:57:02 GMT) (full text, mbox, link).

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Sun, 20 Feb 2022 19:57:03 GMT) (full text, mbox, link).

Message #10 received at 1006171@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: MichaIng <micha@dietpi.com>, 1006171@bugs.debian.org
Subject: Re: Bug#1006171: Make internal-sftp the default
Date: Sun, 20 Feb 2022 19:54:18 +0000
On Sun, Feb 20, 2022 at 02:46:50PM +0100, MichaIng wrote:
> Currently the standalone OpenSSH sftp-server is used as default SFTP
> subsystem, set via /etc/ssh/sshd_config. This implies a dependency on the
> openssh-sftp-server package and means that every SFTP connection spawns a
> new external process, while sshd ships with the internal-sftp in-process
> SFTP server, which perform better when dealing with many short duration
> connections and simplifies the ChrootDirectory usage to not require any
> manual /dev node setup.
> 
> Legacy SSH1 clients pass an exact SFTP command, hence will still depend on
> openssh-sftp-server or any alternative standalone SFTP server, also
> internal-sftp means that the login shell is skipped in the first place. But
> the need for both are edge cases, the use of SSH1 IMO worth to be actively
> discouraged, and the vast majority of OpenSSH SFTP server admins will
> benefit from this change, at least to not require a config change that is
> part of very most SFTP guides around the internet, reasonably.

I haven't done this mainly because if the default is to be changed it
should be changed upstream; they're better placed to be aware of corner
cases that might cause regressions if changing the default.  I'd
encourage you to file this on https://bugzilla.mindrot.org/ instead.

(SSH 1 is not an issue, since the code to support it has been removed
from the server anyway, so you should probably omit that part from your
upstream report.)

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#1006171; Package openssh-server. (Mon, 28 Feb 2022 00:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to MichaIng <micha@dietpi.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Mon, 28 Feb 2022 00:30:03 GMT) (full text, mbox, link).

Message #15 received at 1006171@bugs.debian.org (full text, mbox, reply):

From: MichaIng <micha@dietpi.com>
To: 1006171@bugs.debian.org
Subject: Re: Bug#1006171: Make internal-sftp the default
Date: Mon, 28 Feb 2022 01:27:54 +0100
I made the request upstream as advised:
https://bugzilla.mindrot.org/show_bug.cgi?id=3397

Best regards,

Micha

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#1006171; Package openssh-server. (Sun, 13 Mar 2022 17:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to dirdi <bugs@dirdi.name>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Sun, 13 Mar 2022 17:30:03 GMT) (full text, mbox, link).

Message #20 received at 1006171@bugs.debian.org (full text, mbox, reply):

From: dirdi <bugs@dirdi.name>
To: 1006171@bugs.debian.org
Subject: Re: Bug#1006171: Make internal-sftp the default
Date: Sun, 13 Mar 2022 18:20:21 +0100
I understand and support Colin's stance that the default configuration 
shipped with Debian should follow upstream.

The nasty thing about subsystem directives is that they cannot be 
overridden by a .conf file placed inside the /etc/ssh/sshd_config.d/ 
folder, due to this bug: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998834

So if one wants to use e.g. the internal sftp server, one MUST modify 
the /etc/ssh/sshd_config file. This in turn interferes with automatic 
upgrade scripts like cron-apt, unattended-upgrades etc.

I thought about moving the subsystem directive into a new file inside 
the /etc/ssh/sshd_config.d/ folder. However, this would result in broken 
configurations on machines where the administrator keeps a modified 
/etc/ssh/sshd_config file during an upgrade.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Mar 25 18:59:36 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.