Ubuntu
openssh package

Code review comment for ~ahasenack/ubuntu/+source/openssh:openssh-split-unique-gssapi

  1. Git
  2. lp:~ahasenack/ubuntu/+source/openssh
  3. openssh-split-unique-gssapi
  4. Merge into ubuntu/jammy-devel
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I pushed a check script, this is option (b) from my previous comment.

Unfortunately sshd -t doesn't list all files that might have problems. Looks like it checks the main config file at /etc/ssh/sshd_config, then processes the include directive, and then just highlights one of the included files.

For example, here sshd_config is not even listed, because I added the bad option at the end:
root@j-sshd-dev:~# echo "KerberosUniqueCCache no" >> /etc/ssh/sshd_config
root@j-sshd-dev:~# echo "KerberosUniqueCCache no" >> /etc/ssh/sshd_config.d/gssapi.conf
root@j-sshd-dev:~# echo "KerberosUniqueCCache no" >> /etc/ssh/sshd_config.d/gssapi-2.conf

root@j-sshd-dev:~# sshd -t
/etc/ssh/sshd_config.d/gssapi-2.conf: line 1: Bad configuration option: KerberosUniqueCCache
/etc/ssh/sshd_config.d/gssapi-2.conf: terminating, 1 bad configuration options

If I add it to the top, befire sshd_config includes sshd_config.d/*.conf, then it's listed too:

root@j-sshd-dev:~# vi /etc/ssh/sshd_config
root@j-sshd-dev:~# sshd -t
/etc/ssh/sshd_config: line 1: Bad configuration option: KerberosUniqueCCache
/etc/ssh/sshd_config.d/gssapi-2.conf: line 1: Bad configuration option: KerberosUniqueCCache
/etc/ssh/sshd_config.d/gssapi-2.conf: terminating, 1 bad configuration options

But gssapi.conf is not listed.

If I remove gssapi-2.conf, then gssapi.conf is listed:

root@j-sshd-dev:~# rm /etc/ssh/sshd_config.d/gssapi-2.conf
root@j-sshd-dev:~# sshd -t
/etc/ssh/sshd_config: line 1: Bad configuration option: KerberosUniqueCCache
/etc/ssh/sshd_config.d/gssapi.conf: line 1: Bad configuration option: KerberosUniqueCCache
/etc/ssh/sshd_config.d/gssapi.conf: terminating, 1 bad configuration options

Anyway, in this state, it's able to clean the config up:

# systemctl restart ssh

logs:
May 26 19:57:08 j-sshd-dev systemd[1]: Starting OpenBSD Secure Shell server...
May 26 19:57:08 j-sshd-dev sshd-config-check[50945]: WARNING: Disabling KerberosUniqueCCache option in /etc/ssh/sshd_config
May 26 19:57:08 j-sshd-dev sshd-config-check[50945]: WARNING: Disabling KerberosUniqueCCache option in /etc/ssh/sshd_config.d/gssapi.conf
May 26 19:57:08 j-sshd-dev sshd-config-check[50945]: Testing again
May 26 19:57:09 j-sshd-dev sshd[50960]: Server listening on 0.0.0.0 port 22.
May 26 19:57:09 j-sshd-dev sshd[50960]: Server listening on :: port 22.
May 26 19:57:09 j-sshd-dev systemd[1]: Started OpenBSD Secure Shell server.

« Back to merge proposal