not found by postinst script

Package: openssh-server; Maintainer for openssh-server is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for openssh-server is src:openssh (PTS, buildd, popcon).

Reported by: Philipp Marek <philipp@marek.priv.at>

Date: Mon, 4 May 2020 14:12:01 UTC

Severity: minor

Tags: patch

Found in version openssh/1:8.2p1-4

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, philipp@marek.priv.at, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#959726; Package openssh-server. (Mon, 04 May 2020 14:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Philipp Marek <philipp@marek.priv.at>:
New Bug report received and forwarded. Copy sent to philipp@marek.priv.at, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Mon, 04 May 2020 14:12:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: openssh-server
Version: 1:8.2p1-4
Severity: minor

The postinst script generates host keys for keys defined in 
/etc/ssh/sshd_config, but NOT for definitions in /etc/ssh/sshd_config/*.

That's a bit inconsistent, perhaps these should be looked at too.

Sadly that means parsing "Include" statements from the config file,
which opens a new can of worms...
Perhaps sshd should be asked which host keys are configured, or it should 
(optionally) create keys as needed by itself... (?)


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.5.0-1-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8), LANGUAGE=de_AT:de (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.74
ii  dpkg                   1.19.7
ii  libaudit1              1:2.8.5-3+b1
ii  libc6                  2.30-4
ii  libcom-err2            1.45.6-1
ii  libcrypt1              1:4.4.16-1
ii  libgssapi-krb5-2       1.17-7
ii  libkrb5-3              1.17-7
ii  libpam-modules         1.3.1-5
ii  libpam-runtime         1.3.1-5
ii  libpam0g               1.3.1-5
ii  libselinux1            3.0-1+b3
ii  libssl1.1              1.1.1g-1
ii  libsystemd0            245.5-2
ii  libwrap0               7.6.q-30
ii  lsb-base               11.1.0
ii  openssh-client         1:8.2p1-4
ii  openssh-sftp-server    1:8.2p1-4
ii  procps                 2:3.3.16-4
ii  runit-helper           2.8.15
ii  ucf                    3.0038+nmu1
ii  zlib1g                 1:1.2.11.dfsg-2

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  245.5-2
ii  ncurses-term             6.2-1
ii  xauth                    1:1.0.10-1

Versions of packages openssh-server suggests:
ii  lxqt-openssh-askpass [ssh-askpass]  0.14.1-1
pn  molly-guard                         <none>
pn  monkeysphere                        <none>
pn  ufw                                 <none>

-- debconf information excluded

--

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#959726; Package openssh-server. (Fri, 06 Nov 2020 04:30:02 GMT) (full text, mbox, link).

Acknowledgement sent to Dmitry Borodaenko <angdraug@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Fri, 06 Nov 2020 04:30:02 GMT) (full text, mbox, link).

Message #10 received at 959726@bugs.debian.org (full text, mbox, reply):

If you can safely assume that /etc/ssh/sshd_config.d exists you can simply add
it to the list of files scanned for HostKey.

---
 debian/openssh-server.postinst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index f45f5851c..aa4bee899 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -18,7 +18,7 @@ get_config_option() {
 	perl -lne '
 		s/[[:space:]]+/ /g; s/[[:space:]]+$//;
 		print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
-	   /etc/ssh/sshd_config
+	   /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
 }
 
 
-- 
2.29.2

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#959726; Package openssh-server. (Tue, 12 Jul 2022 15:30:02 GMT) (full text, mbox, link).

Acknowledgement sent to Daniel Kahn Gillmor <dkg@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Tue, 12 Jul 2022 15:30:02 GMT) (full text, mbox, link).

Message #15 received at 959726@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Control: tags 959726 + patch

On Thu 2020-11-05 20:26:30 -0800, Dmitry Borodaenko wrote:
> If you can safely assume that /etc/ssh/sshd_config.d exists you can simply add
> it to the list of files scanned for HostKey.
>
> ---
>  debian/openssh-server.postinst | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
> index f45f5851c..aa4bee899 100644
> --- a/debian/openssh-server.postinst
> +++ b/debian/openssh-server.postinst
> @@ -18,7 +18,7 @@ get_config_option() {
>  	perl -lne '
>  		s/[[:space:]]+/ /g; s/[[:space:]]+$//;
>  		print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
> -	   /etc/ssh/sshd_config
> +	   /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
>  }
>  
>  
> -- 
> 2.29.2

Thanks for the suggested fix, Dmitry.  I'm tagging this bug report as
having an associated patch.

Since the default line in /etc/ssh/sshd_config these days is:

   Include /etc/ssh/sshd_config.d/*.conf

then i think the replacement line should also include the trailing
.conf.

That is:

--------
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index f45f5851c..aa4bee899 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -18,7 +18,7 @@ get_config_option() {
 	perl -lne '
 		s/[[:space:]]+/ /g; s/[[:space:]]+$//;
 		print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
-	   /etc/ssh/sshd_config
+	   /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
 }

--------

In a simpler world,  get_config_option() would be done by asking sshd
itself to parse the configuration file and output it in normalized form directly:

    sshd -T | grep -i "^$option " | cut -f2- -d' '

But unfortunately, sshd -T aborts with a failure (and emits no parsed
configuration at all) if no host keys can be found.

I've submitted https://bugzilla.mindrot.org/show_bug.cgi?id=3460
upstream to suggest an improvement there, but even if that is adopted
upstream, we can't rely on it until it's released.

      --dkg

[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Daniel Kahn Gillmor <dkg@debian.org> to 959726-submit@bugs.debian.org. (Tue, 12 Jul 2022 15:30:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Mar 25 19:05:10 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #959726 openssh-server: HostKey config in /etc/ssh/sshd_config.d/ not found by postinst script

Debian Bug report logs - #959726
openssh-server: HostKey config in /etc/ssh/sshd_config.d/ not found by postinst script