Ubuntu
walinuxagent package

[SRU] walinuxagent breaks sshd configuration

Bug #1305418 reported by Stephen A. Zarkos
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
walinuxagent (Ubuntu)
Fix Released
Critical
Robert C Jennings
Saucy
Fix Released
Critical
Unassigned
Trusty
Fix Released
Critical
Robert C Jennings

Bug Description

[Impact]

 * Provisioning with the latest walinuxagent will break sshd_config, barring sshd from starting. With ssh access often the only means of access for cloud instances, this is extremely disruptive.

 * A backport of this fix is necessary to retain ssh access after re-provisioning an instance hosted on Azure.

 * The current waagent command assumes that sshd_config is terminated with a newline when it appends a config option to the file. There is no newline and thus this new configuration option is appended to a current option rendering the config file invalid. The fix is to insert a newline prior to appending to the config file.

[Test Case]

Steps to reproduce
 * Become familiar with the last line of sshd_config, `tail /etc/ssh/sshd_config`
    It will contain "UsePAM yes" and have new newline at the of the file.
 * Install walinuxagent with `apt-get install waagent`
 * Force re-provisioning by running `waagent -setup`
 * Check the config file with `tail /etc/ssh/sshd_config`. It will now contain:
    "UsePAM yesClientAliveInterval 180"
 * Confirm that the SSH daemon will fail to start. Test by running `/usr/sbin/sshd`. Expected error output is:
    "/etc/ssh/sshd_config line 88: Bad yes/no argument: yesClientAliveInterval"
   At this point, rebooting the OS will result in loss of SSH access.
* Edit /etc/ssh/sshd_config to insert a carriage return after "UsePAM yes" and place "ClientAliveInterval 180" on its own line.
 * Verify that ssh can start again `/usr/sbin/sshd`

[Regression Potential]

 * Regression risk is extremely low, I can't think of a negative impact of adding an extra newline to the end of the file before appending content.

[Other Info]

 * Tested in 14.04 and 13.10, PPA builds can be found at ppa:~rcj/testing for thos packages.
 * Repeated re-provisioning will add new newline characters, which will add whitespace prior to the new config option. This whitespace will grow by one line with each re-provisioning; but this is a rare operation. Given the code structure it was far safer to address this by unconditionally adding the newline rather than adding complexity to check that it was absolutely needed.

[ Original Description Follows ]

After installing the latest walinuxagent package on Ubuntu 13.10 I see that we end up with a broken configuration in /etc/ssh/sshd_config. The last line in that file looks like the following:

   UsePAM yesClientAliveInterval 180

This is the result of the agent package re-running "waagent -setup," which wants to append the "ClientAliveInterval 180" parameter to /etc/ssh/sshd_config to avoid timeouts with the Azure load balancer (which has a 4 minute timeout). But currently waagent assumes there is a "\n" at the end of this file.

We could fix this bug in the agent to always add "\n" to the front of this parameter (maybe a good idea) or there may be another way to fix this.

See original description
Robert C Jennings (rcj)
Changed in walinuxagent (Ubuntu):
assignee: nobody → Robert C Jennings (rcj)
assignee: Robert C Jennings (rcj) → nobody
Robert C Jennings (rcj)
Changed in walinuxagent (Ubuntu):
status: New → Incomplete
status: Incomplete → Confirmed
assignee: nobody → Robert C Jennings (rcj)
Revision history for this message
Robert C Jennings (rcj) wrote :
Changed in walinuxagent (Ubuntu):
status: Confirmed → In Progress
importance: Undecided → Critical
importance: Critical → Medium
importance: Medium → Undecided
Revision history for this message
Robert C Jennings (rcj) wrote :

Ben, I've attached a proposed patch.

Revision history for this message
Robert C Jennings (rcj) wrote :
Revision history for this message
Ben Howard (darkmuggle-deactivatedaccount) wrote :

# apt-get -y update
...
Ign http://packages.vmware.com precise/main TranslationIndex
Ign http://packages.vmware.com precise/main Translation-en_US
Ign http://packages.vmware.com precise/main Translation-en
Fetched 307 B in 10s (28 B/s)
Reading package lists... Done
W: Conflicting distribution: http://packages.vmware.com precise Release (expected precise but got )

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "debdiff for saucy" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Robert C Jennings (rcj) wrote :

Builds in ppa:~rcj/testing. debdiff's attached.

Ben Howard (darkmuggle-deactivatedaccount)
summary: - Broken SSHD configuration on Ubuntu 13.10 with latest walinuxagent
- update
+ walinuxagent breaks sshd configuration
Revision history for this message
Robert C Jennings (rcj) wrote : Re: walinuxagent breaks sshd configuration

Ben, SRU template is in. I think this is all I can do until the debdiff is uploaded to the archive, correct?

description: updated
Changed in walinuxagent (Ubuntu):
importance: Undecided → Critical
Robert C Jennings (rcj)
description: updated
Revision history for this message
Ben Howard (darkmuggle-deactivatedaccount) wrote :

Uploaded fix for Trusty.

summary: - walinuxagent breaks sshd configuration
+ [SRU] walinuxagent breaks sshd configuration
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package walinuxagent - 2.0.4-0ubuntu2

---------------
walinuxagent (2.0.4-0ubuntu2) trusty; urgency=low

  * Fix for broken sshd configuration (LP: #1305418)
   - Change modification of sshd_config to address lack of newline at EOF
 -- Ben Howard <email address hidden> Thu, 10 Apr 2014 14:04:44 -0600

Changed in walinuxagent (Ubuntu Trusty):
status: In Progress → Fix Released
Robert C Jennings (rcj)
Changed in walinuxagent (Ubuntu Saucy):
importance: Undecided → Critical
status: New → In Progress
assignee: nobody → Robert C Jennings (rcj)
Revision history for this message
Robert C Jennings (rcj) wrote :

debdiff for saucy attached, reassigning to ben

Changed in walinuxagent (Ubuntu Saucy):
assignee: Robert C Jennings (rcj) → Ben Howard (utlemming)
Revision history for this message
Ben Howard (darkmuggle-deactivatedaccount) wrote :

Tested and confirmed fix. Uploaded for SRU processing.

Brian Murray (brian-murray)
tags: added: precise regression-update
Revision history for this message
Ben Howard (darkmuggle-deactivatedaccount) wrote :

As a side note, precise is not affected. I have tested and validated that the 12.04 version does not have this issue.

tags: added: saucy
removed: precise
Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello Stephen, or anyone else affected,

Accepted walinuxagent into saucy-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/walinuxagent/1.3.2-0ubuntu7~13.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in walinuxagent (Ubuntu Saucy):
status: In Progress → Fix Committed
Revision history for this message
Ben Howard (darkmuggle-deactivatedaccount) wrote :

Verified test case for Saucy.

tags: added: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package walinuxagent - 1.3.2-0ubuntu7~13.10

---------------
walinuxagent (1.3.2-0ubuntu7~13.10) saucy; urgency=medium

  [ Robert C Jennings ]
  * Fix for broken sshd configuration (LP: #1305418)
    - Change modification of sshd_config to address lack of newline at EOF
 -- Ben Howard <email address hidden> Thu, 17 Apr 2014 06:38:56 -0600

Changed in walinuxagent (Ubuntu Saucy):
status: Fix Committed → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for walinuxagent has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.