[RFC] News item: OpenSSH 8.2_p1 running sshd breakage

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[RFC] News item: OpenSSH 8.2_p1 running sshd breakage

Patrick McLean-3
Title: OpenSSH 8.2_p1 running sshd breakage
Author: Patrick McLean <[hidden email]>
Posted: 2020-02-21
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: <net-misc/openssh-8.2

If sshd is running, and a system is upgraded from <net-misc/openssh-8.2_p1
to >=net-misc/openssh-8.2_p1, any new ssh connection will fail until sshd is
restarted.

Before restarting sshd, it is *strongly* recommended that you test your
configuraton with the following command (as root):
    sshd -t

If your system is booted with openrc, use this command  (as root)
to restart sshd:
    /etc/init.d/sshd restart

If your system is booted with systemd, use this command (as root)
to restart sshd:
    systemctl restart sshd

WARNING: On systemd booted machines, this command will terminate all currently
         open ssh connections, it is *strongly* reccommended that you validate
         your configuration before restarting sshd.

Reply | Threaded
Open this post in threaded view
|

Re: [RFC] News item: OpenSSH 8.2_p1 running sshd breakage

Mike Gilbert-2
On Wed, Feb 19, 2020 at 3:02 PM Patrick McLean <[hidden email]> wrote:

>
> Title: OpenSSH 8.2_p1 running sshd breakage
> Author: Patrick McLean <[hidden email]>
> Posted: 2020-02-21
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: <net-misc/openssh-8.2
>
> If sshd is running, and a system is upgraded from <net-misc/openssh-8.2_p1
> to >=net-misc/openssh-8.2_p1, any new ssh connection will fail until sshd is
> restarted.
>
> Before restarting sshd, it is *strongly* recommended that you test your
> configuraton with the following command (as root):
>     sshd -t
>
> If your system is booted with openrc, use this command  (as root)
> to restart sshd:
>     /etc/init.d/sshd restart
>
> If your system is booted with systemd, use this command (as root)
> to restart sshd:
>     systemctl restart sshd
>
> WARNING: On systemd booted machines, this command will terminate all currently
>          open ssh connections, it is *strongly* reccommended that you validate
>          your configuration before restarting sshd.
>

Existing connections are only terminated if the pam_systemd module is
not enabled. This might happen if the user has disabled USE=pam on
sys-apps/systemd, or if they have modified the system pam stack to
exclude pam_systemd.

Maybe change the warning to this:

WARNING: On systemd booted machines with PAM disabled, this command
will terminate all currently open ssh connections. It is *strongly*
recommended that you validate your configuration before restarting
sshd.

Reply | Threaded
Open this post in threaded view
|

Re: [RFC] News item: OpenSSH 8.2_p1 running sshd breakage

Michael Jones
How does this effect systemd's socket activation?

E.g. The systemd sshd.socket unit file.

On Wed, Feb 19, 2020 at 2:12 PM Mike Gilbert <[hidden email]> wrote:
On Wed, Feb 19, 2020 at 3:02 PM Patrick McLean <[hidden email]> wrote:
>
> Title: OpenSSH 8.2_p1 running sshd breakage
> Author: Patrick McLean <[hidden email]>
> Posted: 2020-02-21
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: <net-misc/openssh-8.2
>
> If sshd is running, and a system is upgraded from <net-misc/openssh-8.2_p1
> to >=net-misc/openssh-8.2_p1, any new ssh connection will fail until sshd is
> restarted.
>
> Before restarting sshd, it is *strongly* recommended that you test your
> configuraton with the following command (as root):
>     sshd -t
>
> If your system is booted with openrc, use this command  (as root)
> to restart sshd:
>     /etc/init.d/sshd restart
>
> If your system is booted with systemd, use this command (as root)
> to restart sshd:
>     systemctl restart sshd
>
> WARNING: On systemd booted machines, this command will terminate all currently
>          open ssh connections, it is *strongly* reccommended that you validate
>          your configuration before restarting sshd.
>

Existing connections are only terminated if the pam_systemd module is
not enabled. This might happen if the user has disabled USE=pam on
sys-apps/systemd, or if they have modified the system pam stack to
exclude pam_systemd.

Maybe change the warning to this:

WARNING: On systemd booted machines with PAM disabled, this command
will terminate all currently open ssh connections. It is *strongly*
recommended that you validate your configuration before restarting
sshd.

Reply | Threaded
Open this post in threaded view
|

Re: [RFC] News item: OpenSSH 8.2_p1 running sshd breakage

Mike Gilbert-2
On Wed, Feb 19, 2020 at 3:41 PM Michael Jones <[hidden email]> wrote:
>
> How does this effect systemd's socket activation?
>
> E.g. The systemd sshd.socket unit file.

Please avoid top-posting.

When socket-activated, a separate instance of sshd is spawned for each
connection. I don't think any action is needed in that case.

Reply | Threaded
Open this post in threaded view
|

Re: [RFC] News item: OpenSSH 8.2_p1 running sshd breakage

Michael Jones


On Wed, Feb 19, 2020 at 3:00 PM Mike Gilbert <[hidden email]> wrote:
On Wed, Feb 19, 2020 at 3:41 PM Michael Jones <[hidden email]> wrote:
>
> How does this effect systemd's socket activation?
>
> E.g. The systemd sshd.socket unit file.

Please avoid top-posting.

When socket-activated, a separate instance of sshd is spawned for each
connection. I don't think any action is needed in that case.


Consider listing this situation in the news post.
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] News item: OpenSSH 8.2_p1 running sshd breakage

William Hubbs
In reply to this post by Patrick McLean-3
On Wed, Feb 19, 2020 at 12:02:51PM -0800, Patrick McLean wrote:

> Title: OpenSSH 8.2_p1 running sshd breakage
> Author: Patrick McLean <[hidden email]>
> Posted: 2020-02-21
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: <net-misc/openssh-8.2
>
> If sshd is running, and a system is upgraded from <net-misc/openssh-8.2_p1
> to >=net-misc/openssh-8.2_p1, any new ssh connection will fail until sshd is
> restarted.
>
> Before restarting sshd, it is *strongly* recommended that you test your
> configuraton with the following command (as root):
>     sshd -t
>
> If your system is booted with openrc, use this command  (as root)
> to restart sshd:
>     /etc/init.d/sshd restart
A better choice would be:

rc-service sshd --nodeps restart

William


signature.asc (201 bytes) Download Attachment