Merge ~ahasenack/ubuntu/+source/openssh:openssh-split-unique-gssapi into ~canonical-server/ubuntu/+source/openssh:openssh-split-unique-gssapi
- Git
- lp:~ahasenack/ubuntu/+source/openssh
- openssh-split-unique-gssapi
- Merge into openssh-split-unique-gssapi
Status: | Merged |
---|---|
Merge reported by: | Andreas Hasenack |
Merged at revision: | 5d720f6d8cd1ba1d9cb5ba924f4b0951bf3066bc |
Proposed branch: | ~ahasenack/ubuntu/+source/openssh:openssh-split-unique-gssapi |
Merge into: | ~canonical-server/ubuntu/+source/openssh:openssh-split-unique-gssapi |
Diff against target: | 0 lines |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Canonical Server Reporter | Pending | ||
dann frazier | Pending | ||
Canonical Server Core Reviewers | Pending | ||
Review via email: mp+444043@code.launchpad.net |
This proposal supersedes a proposal from 2023-05-23.
Commit message
Description of the change
This was merged already. This MP is for history purpposes.
It's based on work from dannf to split the gssapi-new-unique and fedora patches so they apply more easily. These are the first two commits from Dannf, and start on top of pkg/ubuntu/
98efccb32 Separate out the changes that comes from Fedora's keyex patch modifications
1ab8bcf2b add gssapi-
Then come my changes which do:
- new bin:openssh-
- update-alternatives support for bin:openssh-server and bin:openssh-
- 3 new DEP8 tests for this specific new functionality, and another run of an existing DEP8 test ("regress") but with the new openssh-
The versioning scheme I'm envisioning is:
${base}+ccache1
Where ${base} is the jammy ubuntu version of the package, i.e., 1:8.9p1-3ubuntu0.1 currently.
For PPAs, it will be the usual ${base}
Updates to this extra packaging will increase the ccache1 suffix to ccache2, ccache3, etc.
I welcome suggestions on this versioning as well :)
Launchpad recipe: https:/
Using another ppa, which is what I plan to use for real for development of this package:
https:/
Andreas Hasenack (ahasenack) wrote : Posted in a previous version of this proposal | # |
Andreas Hasenack (ahasenack) wrote : Posted in a previous version of this proposal | # |
The recipe build worked with this branch: https:/
Andreas Hasenack (ahasenack) wrote : Posted in a previous version of this proposal | # |
Tests are green, just s390x that is queued up (only arch with a queue, according to https:/
Results: (from http://
openssh @ amd64:
http://
23.05.23 19:13:09 ✅ Triggers: openssh/
openssh @ arm64:
http://
23.05.23 19:29:47 ✅ Triggers: openssh/
openssh @ armhf:
http://
23.05.23 19:13:29 ✅ Triggers: openssh/
openssh @ ppc64el:
http://
23.05.23 19:05:57 ✅ Triggers: openssh/
Running: (none)
Waiting:
Q-num pkg release arch ppa trigger
80 openssh jammy s390x ahasenack/
dann frazier (dannf) wrote : Posted in a previous version of this proposal | # |
Thanks for this work Andreas - esp. on the test cases! Aside from a couple of nits inline, one concern I have is that the unpatched sshd will fail to start if KerberosUniqueC
line 1: Bad configuration option: KerberosUniqueC
Would it make sense to have openssh-
/etc/
That contains a commented out #KerberosUnique
openssh-
The symlink would always be removed in uninstall, leaving any KerberosUniqueC
Also, do we need to restart sshd after an o-s-d-c install or removal?
Andreas Hasenack (ahasenack) wrote : Posted in a previous version of this proposal | # |
I'll check options regarding the config file. We already have a "ExecStartPre=
Regarding the restart after o-s-d-c, I think with socket activation we don't need that, but I'll double check.
Andreas Hasenack (ahasenack) wrote : Posted in a previous version of this proposal | # |
So, I was confused and socket activation is not enbaled in jammy, even though the package ships a ssh.socket unit.
Even so, it doesn't look like a restart is needed, because of the architecture of how sshd works nowadays. There is a main listener process, that spawns sshd children to handle incoming connections. These spawned children will be fresh processes, and they will pick up whatever update-alternatives set the symlink to.
That being said, a restart sounds cleaner, and I'll probably do that.
Regarding the config file, I'm still thinking about options. One problem is that we can switch between the sshd implementations with the update-alternatives --config command, it doesn't have to be with installing and removing packages. Maybe add that config file snippet you suggested as another update-alternatives slave, like the manpage? I'll think about it, but even that would not totally prevent errors. People could still add this option to the main sshd_config file.
If there were a "hook" mechanism we could use, so that whenever update-alternatives is called, we can check if the current config file is ok for the currently selected sshd server, then we could use that.
Andreas Hasenack (ahasenack) wrote : Posted in a previous version of this proposal | # |
The "errors in config file can break sshd" bug is known already, and not specific to this new option we are adding: https:/
dann frazier (dannf) wrote : Posted in a previous version of this proposal | # |
On Fri, May 26, 2023 at 7:55 AM Andreas Hasenack
<email address hidden> wrote:
> Regarding the config file, I'm still thinking about options. One problem is that we can switch between the sshd implementations with the update-alternatives --config command, it doesn't have to be with installing and removing packages. Maybe add that config file snippet you suggested as another update-alternatives slave, like the manpage? I'll think about it, but even that would not totally prevent errors.
That's a good point. Ideally we'd have
/etc/ssh/
openssh-
alternative is selected, but have *no*
/etc/ssh/
if the standard sshd alternative is selected. What happens when only 1
alternative option provides a given slave?
btw, instead of just being prescriptive about the problem I was
looking to solve with the snippet + symlink was with configuration
file handling, let me be explicit about the problem I was trying to
solve - I'm not sure if it was obvious. If someone makes
o-s-d-c-specific config changes, we should aim to keep track of them
even after o-s-d-c is removed (but not purged). Here is the use/test
case I had in mind:
1) User installs o-s-d-c
2) User makes some o-s-d-c changes that normal o-s does not parse
(i.e. setting KerberosUniqueC
3) User removes o-s-d-c
# Here o-s should not fail because of KerberosUniqueC
4) User reinstalls o-s-d-c
# Here the settings the user made in step #2 should have persisted
5) User purges o-s-d-c
# Now the settings in step #2 should be cleared
> People could still add this option to the main sshd_config file.
> If there were a "hook" mechanism we could use, so that whenever update-alternatives is called, we can check if the current config file is ok for the currently selected sshd server, then we could use that.
Perhaps we can also modify the manpage part of the patch to clarify
that this setting should only be defined in the o-s-d-c-specific
snippet, and not any other sshd config file. That, combined with
including a commented out KerberoseUnique
for discoverability feels like a complete solution to me.
Another option might be to just patch the standard sshd to accept but
ignore this config option (and ideally emit a warning instead of
silently ignoring it). But that might cause an upgrade path problem if
we want to retain the option to drop this patch in the future. That
is, if a 22.04 PPA user decided to dist-upgrade to a 24.04 that
included neither this feature nor a patch to recognize and ignore
KerberoseUnique
be quarantined off to avoid causing 24.04's sshd to fail to start.
-dann
Andreas Hasenack (ahasenack) wrote : Posted in a previous version of this proposal | # |
I recognized your "breakage" scenario, step (3) specifically:
3) User removes o-s-d-c
# Here o-s should not fail because of KerberosUniqueC
I just don't like to have a solution based solely on *where* that config option was added (a specific file in a .d directory).
> Another option might be to just patch the standard sshd to accept but
> ignore this config option (and ideally emit a warning instead of
> silently ignoring it).
I was briefly excited about this, when I saw that ssh has an option called IgnoreUnknown, but it's only for the client... :/
I'm toying now with a script for ExecStartPre in ssh's service unit file. It could check if the sshd that is about to start recognizes KerberosUniqueC
4) User reinstalls o-s-d-c
# Here the settings the user made in step #2 should have persisted
I.e., it wouldn't restore KerberosUniqueC
I'm also not a big fan of changing config files automatically like that, but hey, it allows sshd to start.
Finally, I'm also contemplating again the decision to use update-
> Perhaps we can also modify the manpage part of the patch
Going back to what this option actually does:
KerberosUniqueC
no (default in patched sshd): new behavior introduced by this patch
yes: same behavior as unpatched sshd
We don't really need this option at the moment, do we? If you don't want the new behavior, stick with openssh-server. If you want the new behavior, install openssh-
We could perhaps not include it. At the risk of being different and carry regrets about this decision for quite a while.
To summarize, some of the ideas we had, in no particular order, hope I didn't miss any:
a) constrict the KerberosUniqueC
b) ExecStartPre and remove the option from the config (wherever it was found) if the current sshd doesn't understand it. Prevents a failing-
c) Change the handling of unknown options in unpatched sshd so that if KerberosUniqueC
d...
Andreas Hasenack (ahasenack) wrote : Posted in a previous version of this proposal | # |
I pushed a check script, this is option (b) from my previous comment.
Unfortunately sshd -t doesn't list all files that might have problems. Looks like it checks the main config file at /etc/ssh/
For example, here sshd_config is not even listed, because I added the bad option at the end:
root@j-sshd-dev:~# echo "KerberosUnique
root@j-sshd-dev:~# echo "KerberosUnique
root@j-sshd-dev:~# echo "KerberosUnique
root@j-sshd-dev:~# sshd -t
/etc/ssh/
/etc/ssh/
If I add it to the top, befire sshd_config includes sshd_config.
root@j-sshd-dev:~# vi /etc/ssh/
root@j-sshd-dev:~# sshd -t
/etc/ssh/
/etc/ssh/
/etc/ssh/
But gssapi.conf is not listed.
If I remove gssapi-2.conf, then gssapi.conf is listed:
root@j-sshd-dev:~# rm /etc/ssh/
root@j-sshd-dev:~# sshd -t
/etc/ssh/
/etc/ssh/
/etc/ssh/
Anyway, in this state, it's able to clean the config up:
# systemctl restart ssh
logs:
May 26 19:57:08 j-sshd-dev systemd[1]: Starting OpenBSD Secure Shell server...
May 26 19:57:08 j-sshd-dev sshd-config-
May 26 19:57:08 j-sshd-dev sshd-config-
May 26 19:57:08 j-sshd-dev sshd-config-
May 26 19:57:09 j-sshd-dev sshd[50960]: Server listening on 0.0.0.0 port 22.
May 26 19:57:09 j-sshd-dev sshd[50960]: Server listening on :: port 22.
May 26 19:57:09 j-sshd-dev systemd[1]: Started OpenBSD Secure Shell server.
dann frazier (dannf) wrote : Posted in a previous version of this proposal | # |
On Fri, May 26, 2023 at 12:25 PM Andreas Hasenack
<email address hidden> wrote:
>
> I recognized your "breakage" scenario, step (3) specifically:
>
> 3) User removes o-s-d-c
> # Here o-s should not fail because of KerberosUniqueC
>
> I just don't like to have a solution based solely on *where* that config option was added (a specific file in a .d directory).
>
> > Another option might be to just patch the standard sshd to accept but
> > ignore this config option (and ideally emit a warning instead of
> > silently ignoring it).
>
> I was briefly excited about this, when I saw that ssh has an option called IgnoreUnknown, but it's only for the client... :/
>
> I'm toying now with a script for ExecStartPre in ssh's service unit file. It could check if the sshd that is about to start recognizes KerberosUniqueC
>
> 4) User reinstalls o-s-d-c
> # Here the settings the user made in step #2 should have persisted
>
> I.e., it wouldn't restore KerberosUniqueC
>
> I'm also not a big fan of changing config files automatically like that, but hey, it allows sshd to start.
>
> Finally, I'm also contemplating again the decision to use update-
>
> > Perhaps we can also modify the manpage part of the patch
>
> Going back to what this option actually does:
>
> KerberosUniqueC
> no (default in patched sshd): new behavior introduced by this patch
> yes: same behavior as unpatched sshd
>
> We don't really need this option at the moment, do we? If you don't want the new behavior, stick with openssh-server. If you want the new behavior, install openssh-
>
> We could perhaps not include it. At the risk of being different and carry regrets about this decision for quite a while.
I actually quite like that idea. There's really no reason to try and
support an o-s-d-c that behaves exactly like o-s, and it simplifies
the packaging and upgrade/crossgrade paths a great deal. While it does
mean we presumably need to carry a 3rd patch that reverts support for
KerberosUniqueC
-dann
Andreas Hasenack (ahasenack) wrote : Posted in a previous version of this proposal | # |
> I actually quite like that idea. There's really no reason to try and
> support an o-s-d-c that behaves exactly like o-s, and it simplifies
> the packaging and upgrade/crossgrade paths a great deal. While it does
> mean we presumably need to carry a 3rd patch that reverts support for
> KerberosUniqueC
Ok, let me just push this extra dep8 test for the ExecStartPre check scenario (which we can easily drop/skip), and then look at what it would take to not add the KerberosUniqueC
Andreas Hasenack (ahasenack) wrote (last edit ): Posted in a previous version of this proposal | # |
> Ok, let me just push this extra dep8 test for the ExecStartPre check scenario
> (which we can easily drop/skip), and then look at what it would take to not
> add the KerberosUniqueC
It doesn't look hard to drop the KerberosUniqueC
dann frazier (dannf) wrote : Posted in a previous version of this proposal | # |
Yeah, that could be convenient. But it doesn't seem reasonable for a user to assume they can always use the same sshd_config cross-distro, if only because sshd versions will differ. And I don't really see a way we can support that while retaining a "return to non-o-s-d-c" crossgrade/upgrade path.
Andreas Hasenack (ahasenack) wrote : Posted in a previous version of this proposal | # |
I pushed restart fixes, so now ssh gets properly restarted upon removal/
Andreas Hasenack (ahasenack) wrote (last edit ): Posted in a previous version of this proposal | # |
@dannf, I pushed to https:/
So we have these two options out there now:
- this MP: it implements (b) from a previous comment, which "sanitizes" any config file which has KerberosUniqueC
- the openssh-
Andreas Hasenack (ahasenack) wrote : Posted in a previous version of this proposal | # |
I opted to revert the sshd-config-check change, and its related dep8 test, because it's surprising behavior. I think in the end we should be transparent: openssh-
The DEP8 tests in the infrastructure are unfortunately still swamped (https:/
Andreas Hasenack (ahasenack) wrote : Posted in a previous version of this proposal | # |
Added README.
Andreas Hasenack (ahasenack) wrote : Posted in a previous version of this proposal | # |
This was delivered as 1:8.9p1-
I got a suggestion that works around https:/ /bugs.launchpad .net/ubuntu/ +source/ git-build- recipe/ +bug/2020386: move the two patches we need to apply manually to debian/*, out of debian/patches, but still inside debian/. That will be preserved when launchpad builds the package from a recipe and converts it to a native package. I'll work on that, but it's a minimal change to this MP, and shouldn't affect the rest of the review points.