Ubuntu
openssh package

"sshd -i" breaks due to socket activation

Bug #1991283 reported by Robie Basak
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
Low
Steve Langasek

Bug Description

On Jammy and earlier, simply running "sshd -i" worked.

Now, it fails silently, and running it with "-d" gives me:

Missing privilege separation directory: /run/sshd

This directory is normally created with "RuntimeDirectory=sshd" as defined in /lib/systemd/system/ssh.service. In Jammy, this directory got created by the ssh service starting at boot, so "sshd -i" worked.

Now, with socket activation, it no longer does that, so "sshd -i" fails unless someone has actually connected on TCP port 22 (which they often won't have, since that's the point of "sshd -i").

systemd will then remove /run/sshd when the ssh service is stopped. I think maybe this won't interfere with an existing "sshd -i", but it's not really clean. Further, the privilege separation directory doesn't appear to be configurable - at least I couldn't find any mention in sshd_config(5).

The workaround is to "mkdir -p /run/sshd && sshd -i" instead.

Given that "sshd -i"'s use of /run/sshd isn't really related to the systemd service, maybe we should move the creation of that directory into tmpfiles.d instead?

Robie Basak (racb)
tags: added: ssh-socket-activation
Steve Langasek (vorlon)
Changed in openssh (Ubuntu):
importance: Undecided → Low
status: New → In Progress
assignee: nobody → Steve Langasek (vorlon)
Steve Langasek (vorlon)
Changed in openssh (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:9.0p1-1ubuntu7

---------------
openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium

  * Update list of stock sshd_config checksums to include those from
    jammy and kinetic.
  * Add a workaround for LP: #1990863 (now fixed in livecd-rootfs) to
    avoid spurious ucf prompts on upgrade.
  * Move /run/sshd creation out of the systemd unit to a tmpfile config
    so that sshd can be run manually if necessary without having to create
    this directory by hand. LP: #1991283.

  [ Nick Rosbrook ]
  * debian/openssh-server.postinst: Fix addresses.conf generation when only
    non-default Port is used in /etc/ssh/sshd_config (LP: #1991199).

 -- Steve Langasek <email address hidden> Mon, 26 Sep 2022 21:55:14 +0000

Changed in openssh (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.