Ubuntu
openssh package

Merge ~kstenerud/ubuntu/+source/openssh:xenial-sshd-reload-1771340 into ubuntu/+source/openssh:ubuntu/xenial-devel

  1. Git
  2. lp:~kstenerud/ubuntu/+source/openssh
  3. xenial-sshd-reload-1771340
  4. Merge into ubuntu/xenial-devel
Proposed by Karl Stenerud
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 5c1b475e48084fa29210e93681329901fcbc9186
Merge reported by: Christian Ehrhardt 
Merged at revision: 5c1b475e48084fa29210e93681329901fcbc9186
Proposed branch: ~kstenerud/ubuntu/+source/openssh:xenial-sshd-reload-1771340
Merge into: ubuntu/+source/openssh:ubuntu/xenial-devel
Diff against target: 29 lines (+9/-0)
2 files modified
debian/changelog (+7/-0)
debian/systemd/ssh.service (+2/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Andreas Hasenack Approve
Canonical Server Pending
Review via email: mp+353531@code.launchpad.net

Description of the change

Copied existing debian fix from https://salsa.debian.org/ssh-team/openssh/commit/d4181e15b03171d1363cd9d7a50b209697a80b01 to check sshd_config for errors before starting or reloading the service.

PPA: ppa:kstenerud/sshd-reload-1771340

Steps to Test
-------------

$ lxc launch ubuntu:xenial tester
$ lxc exec tester bash

# echo "blah blah" >>/etc/ssh/sshd_config
# systemctl reload sshd
Job for ssh.service failed because the control process exited with error code. See "systemctl status ssh.service" and "journalctl -xe" for details.
# systemctl status ssh.service
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2018-08-21 18:15:41 UTC; 19s ago

* The service should have checked the config file, failed to reload, but remained active in its current configuration. Instead it's now in the failed state.

Remove the last line "blah blah" in /etc/ssh/sshd_config, then:

# systemctl start sshd
# add-apt-repository -y ppa:kstenerud/sshd-reload-1771340
# apt update
# apt upgrade -y
# echo "blah blah" >>/etc/ssh/sshd_config
# systemctl reload sshd
Job for ssh.service failed because the control process exited with error code. See "systemctl status ssh.service" and "journalctl -xe" for details.
# systemctl status ssh.service
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) (Result: exit-code) since Tue 2018-08-21 18:39:03 UTC; 31s ago

* Service is active (running), which is as it should be.

Package Test Results
--------------------

autopkgtest [13:45:46]: test regress: -----------------------]
autopkgtest [13:45:47]: test regress: - - - - - - - - - - results - - - - - - - - - -
regress PASS
autopkgtest [13:45:47]: @@@@@@@@@@@@@@@@@@@@ summary
regress PASS

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Some comments inline.

review: Needs Fixing
Revision history for this message
Andreas Hasenack (ahasenack) :
~kstenerud/ubuntu/+source/openssh:xenial-sshd-reload-1771340 updated
4248756... by Karl Stenerud

        * debian/systemd/ssh.service: Test configuration before starting or
          reloading sshd (LP: #1771340)

Revision history for this message
Karl Stenerud (kstenerud) wrote :

> Some comments inline.

Replaced with clean commits.

Revision history for this message
Andreas Hasenack (ahasenack) :
~kstenerud/ubuntu/+source/openssh:xenial-sshd-reload-1771340 updated
5c1b475... by Karl Stenerud

changelog

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

looks good!

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Ack and:
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/openssh
 * [new tag] upload/1%7.2p2-4ubuntu2.5 -> upload/1%7.2p2-4ubuntu2.5

Let me know this is supposed to be uploaded as-is or if there are any last minute things to consider.

Revision history for this message
Karl Stenerud (kstenerud) wrote :

Yes, it's ready for upload

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openssh_7.2p2-4ubuntu2.5.dsc: done.
  Uploading openssh_7.2p2-4ubuntu2.5.debian.tar.xz: done.
  Uploading openssh_7.2p2-4ubuntu2.5_source.buildinfo: done.
  Uploading openssh_7.2p2-4ubuntu2.5_source.changes: done.
Successfully uploaded packages.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Please set to merged once accepted by the SRU Team.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Setting to approved, to get it out of the overview page.
As mentioned before when accepted by the SRU team please set this to merged.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

arrived in proposed, please verify

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index fdfdd8c..bbb67a2 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+openssh (1:7.2p2-4ubuntu2.5) xenial; urgency=medium
7+
8+ * debian/systemd/ssh.service: Test configuration before starting or
9+ reloading sshd (LP: #1771340)
10+
11+ -- Karl Stenerud <karl.stenerud@canonical.com> Tue, 21 Aug 2018 10:45:26 -0700
12+
13 openssh (1:7.2p2-4ubuntu2.4) xenial-security; urgency=medium
14
15 * SECURITY UPDATE: untrusted search path when loading PKCS#11 modules
16diff --git a/debian/systemd/ssh.service b/debian/systemd/ssh.service
17index 3df8c64..c75e590 100644
18--- a/debian/systemd/ssh.service
19+++ b/debian/systemd/ssh.service
20@@ -5,7 +5,9 @@ ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
21
22 [Service]
23 EnvironmentFile=-/etc/default/ssh
24+ExecStartPre=/usr/sbin/sshd -t
25 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
26+ExecReload=/usr/sbin/sshd -t
27 ExecReload=/bin/kill -HUP $MAINPID
28 KillMode=process
29 Restart=on-failure

Subscribers

People subscribed via source and target branches