Malte Swart
2019-12-04 21:10:02 UTC
Package: openssh-server
Version: 1:7.9p1-10+deb10u1
Severity: important
Using RuntimeDirectory in ssh.service and ***@.service creates the
needed directory /run/sshd but there are issues in two cases:
1. After switching from ssh.socket to ssh.service while a ssh
connection is open, results in future logins to fail.
Closing the existing ssh.socket connection let systemd to remove
/run/sshd despite ssh.service already running. Subsequent logins
fail as it has no runtime directory anymore.
This is especially bad as it will lock an administrator out.
Even testing logins before closing the last connection does not
highlight this issue.
SSH login works again after the directory is created manually or
the host or service is restarted (directory is recreated by ssh).
2. Testing sshd configuration (using `sshd -t`) while neither
ssh.service or ***@.service are running fails. It complains that
the privilege separation directory /run/sshd does not exist.
I tried different things:
- Adding RuntimeDirectoryPreserve=yes to ***@.service to ensure the
directory is kept. This address case one but `sshd -t` still
fails until ssh.service is started or a connection has been
established. Otherwise systemd has not yet created the directory.
- Using tempfiles.d to create the directory on system boot.
Combining both might work to create the directory in just every case.
-- Demo case 1:
# systemctl status ssh.socket
Active: active (listening)
# systemctl start ssh.service
# systemctl status ***@0.service
Active: active (running)
# logout
$ ssh sshbug
ssh_exchange_identification: read: Connection reset by peer
# systemctl status ***@0.service
Active: inactive (dead)
# systemctl status ssh
Active: active (running)
sshd[6641]: Server listening on :: port 22.
systemd[1]: Started OpenBSD Secure Shell server.
sshd[6654]: fatal: Missing privilege separation directory: /run/sshd
-- Demo case 2
# systemctl start ssh.service
# systemctl status ssh
Active: active (running)
# systemctl status ssh.socket
Active: inactive (dead)
# sshd -t
# systemctl start ssh.socket
# systemctl status ssh.socket
Active: active (listening)
# systemctl status ssh.service
Active: inactive (dead)
# sshd -t
Missing privilege separation directory: /run/sshd
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-cloud-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-server depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii dpkg 1.19.7
ii libaudit1 1:2.8.4-3
ii libc6 2.28-10
ii libcom-err2 1.44.5-1+deb10u2
ii libgssapi-krb5-2 1.17-3
ii libkrb5-3 1.17-3
ii libpam-modules 1.3.1-5
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
ii libselinux1 2.8-1+b1
ii libssl1.1 1.1.1d-0+deb10u2
ii libsystemd0 241-7~deb10u2
ii libwrap0 7.6.q-28
ii lsb-base 10.2019051400
ii openssh-client 1:7.9p1-10+deb10u1
ii openssh-sftp-server 1:7.9p1-10+deb10u1
ii procps 2:3.3.15-2
ii ucf 3.0038+nmu1
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 241-7~deb10u2
pn ncurses-term <none>
pn xauth <none>
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information:
openssh-server/permit-root-login: true
Version: 1:7.9p1-10+deb10u1
Severity: important
Using RuntimeDirectory in ssh.service and ***@.service creates the
needed directory /run/sshd but there are issues in two cases:
1. After switching from ssh.socket to ssh.service while a ssh
connection is open, results in future logins to fail.
Closing the existing ssh.socket connection let systemd to remove
/run/sshd despite ssh.service already running. Subsequent logins
fail as it has no runtime directory anymore.
This is especially bad as it will lock an administrator out.
Even testing logins before closing the last connection does not
highlight this issue.
SSH login works again after the directory is created manually or
the host or service is restarted (directory is recreated by ssh).
2. Testing sshd configuration (using `sshd -t`) while neither
ssh.service or ***@.service are running fails. It complains that
the privilege separation directory /run/sshd does not exist.
I tried different things:
- Adding RuntimeDirectoryPreserve=yes to ***@.service to ensure the
directory is kept. This address case one but `sshd -t` still
fails until ssh.service is started or a connection has been
established. Otherwise systemd has not yet created the directory.
- Using tempfiles.d to create the directory on system boot.
Combining both might work to create the directory in just every case.
-- Demo case 1:
# systemctl status ssh.socket
Active: active (listening)
# systemctl start ssh.service
# systemctl status ***@0.service
Active: active (running)
# logout
$ ssh sshbug
ssh_exchange_identification: read: Connection reset by peer
# systemctl status ***@0.service
Active: inactive (dead)
# systemctl status ssh
Active: active (running)
sshd[6641]: Server listening on :: port 22.
systemd[1]: Started OpenBSD Secure Shell server.
sshd[6654]: fatal: Missing privilege separation directory: /run/sshd
-- Demo case 2
# systemctl start ssh.service
# systemctl status ssh
Active: active (running)
# systemctl status ssh.socket
Active: inactive (dead)
# sshd -t
# systemctl start ssh.socket
# systemctl status ssh.socket
Active: active (listening)
# systemctl status ssh.service
Active: inactive (dead)
# sshd -t
Missing privilege separation directory: /run/sshd
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-cloud-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-server depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii dpkg 1.19.7
ii libaudit1 1:2.8.4-3
ii libc6 2.28-10
ii libcom-err2 1.44.5-1+deb10u2
ii libgssapi-krb5-2 1.17-3
ii libkrb5-3 1.17-3
ii libpam-modules 1.3.1-5
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
ii libselinux1 2.8-1+b1
ii libssl1.1 1.1.1d-0+deb10u2
ii libsystemd0 241-7~deb10u2
ii libwrap0 7.6.q-28
ii lsb-base 10.2019051400
ii openssh-client 1:7.9p1-10+deb10u1
ii openssh-sftp-server 1:7.9p1-10+deb10u1
ii procps 2:3.3.15-2
ii ucf 3.0038+nmu1
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 241-7~deb10u2
pn ncurses-term <none>
pn xauth <none>
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information:
openssh-server/permit-root-login: true