Bug 39704 – reorder configuration in template sshd_config

Bug 39704 - reorder configuration in template sshd_config


Summary:	reorder configuration in template sshd_config

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SSH
Version:	UCS 4.0
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	UCS 4.3-1-errata
Assigned To:	Richard Ulmer
QA Contact:	Arvid Requate

URL:
Keywords:

Duplicates:	28195 42254 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-11-02 16:32 CET by Daniel Tröder
Modified:	2018-06-27 14:37 CEST (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.011
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Flags:	best: Patch_Available+

Attachments
bug39704_qa.patch (3.08 KB, patch) 2018-06-15 14:51 CEST, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Tröder

2015-11-02 16:32:30 CET

The UCRV 'sshd/config/.*' is expanded at the end of the configuration file. Previous configuration entries do not overwrite already existing entries (only tested with LogLevel).

If the configuration entries would be reordered so that 'sshd/config/.*' is immediately below all other used UCRVs (and any mandatory configuration?) but above other "static" configuration entries, 'sshd/config/.*' could overwrite those.

Forum: http://forum.univention.de/viewtopic.php?f=48&t=4489#p17021

Comment 1 Stefan Gohmann

2016-12-13 08:10:41 CET

The Enterprise Customer affected flag is set but neither a Ticket number is referenced nor a Customer ID is set. Please set a Ticket number or a Customer ID. Otherwise the Enterprise Customer affected flag will be reset.

Comment 2 Lutz Willek 2018-03-26 01:01:53 CEST

https://github.com/univention/univention-corporate-server/pull/4

Comment 3 Daniel Tröder

2018-03-27 12:22:18 CEST

*** Bug 42254 has been marked as a duplicate of this bug. ***

Comment 4 Richard Ulmer

2018-05-17 11:16:18 CEST

With the pull request form Lutz Willek, mentioned in comment #2, there are no more "static" configuration entries. Thus the problem is solved.

I have made some changes to the pull request and merged it into the 4.3-0 branch.

Since all possible configuration entries seem to be covered now, the 'sshd/config/.*' UCR variable could be removed. I still left it in, to make the configuration of values, which are added in the future, possible. As a side note: Everything the pull request introduces could have been done previously via the 'sshd/config/.*' UCR variable.


univention-base-files (7.0.0-13)
6ddbddbcfa14 | Bug #39704: Refactor for readability
d5c0e0a5601a | Bug #39704: Re-introduce the TCPKeepAlive configuration value
e067d1d0281e | Bug #39704: Fix printing of comment for the AcceptEnv configuration value
5181cac769fb | Bug #39704: Fix default for the PasswordAuthentication configuration value
ff4ca3b5122f | Bug #39704: Remove deprecated UseLogin configuration value
3dbb7300d624 | Bug #39704: Improve the ListenAddress UCRV
68eb61c8a08e | Bug #39704: Fix non-tab indentation
eb3d9c08a1d8 | [openssh-server config] Patch for Bug #42254, Bug #39704, Bug #28195
a87dd1112021 | Patch for Bug #42254, Bug #39704, Bug #28195
57938f66fb6a | Bug #39704: Merge branch 'rulmer/39704' into 4.3-0
4802b1d71e78 | Bug #39704: Add changelog entry

univention-base-files.yaml
bb24cf5e7a99 | Bug #39704: Add yaml file

Comment 5 Richard Ulmer

2018-05-17 11:26:08 CEST

@QA: Please close the GitHub pull request, if the changes are OK: https://github.com/univention/univention-corporate-server/pull/4

Comment 6 Arvid Requate

2018-05-29 14:38:00 CEST

The following UCR variables are used in the template but are not registered for UCR and don't have a description. Bug 28195 Comment 1 has a description for the first one.

sshd/AllowAgentForwarding
sshd/AllowTcpForwarding
sshd/GatewayPorts

On the other hand sshd/ChallengeResponseAuthentication and sshd/Subsystem are registered and documented but not used in the template. The first looks like a typo and probably refers to sshd/challengeresponse.

The last point brings be to the point that the case spelling of the options is now mixed. I don't know if we can improve this to obtain a consistent result, but can't we have something like

sshd_keywords = ['AllowAgentForwarding', 'AllowTcpForwarding', ...]
sshd_keywords_lower = map(str.lower, sshd_keywords)
sshd_ucrkeywords = [x[5:] for x in configRegistry if x.startswidth('sshd/')]
seen = []
for ucrkey in sshd_ucrkeywords:
  for keyword in sshd_keywords:
    if keyword.lower() in seen:
      msg = "ERROR: sshd/%s set twice in different case spelling" % keyword
      print >>sys.stderr, msg
      break
    if keyword.lower() == ucrkey.lower():
      print "%s %s" % (keyword, configRegistry['sshd/%s' % ucrkey])
      seen.append(keyword.lower())
      break

Comment 7 Richard Ulmer

2018-06-04 13:56:28 CEST

I have temprarily reverted all changes, so that a clean 4.3-1 branch can be created on 2018-06-06.

commit 9371c2dab8fe3c62826df23117281abcac9f3732

Comment 8 Erik Damrose

2018-06-04 14:12:00 CEST

Thanks, i verified the revert (with git diff 8b454196..9371c2da). Setting milestone to 4.3-1-errata

Comment 9 Richard Ulmer

2018-06-07 12:40:25 CEST

I have re-applied the changes of the temporary revert and also addressed the problems mentioned in Comment #6.

All variables are now available in the mixed case spelling. The user will be warned, when a variable is set in lower- and mixed case spelling.

Remark: The sshd/config/.* variables could also contain duplicates, about which the user would not be warned.

f0f7ccaab3 Bug #39704: Update version number in yaml file

univention-base-files (7.0.0-14):
de00e0c6b7 Bug #39704: Add changelog entry
f0fac4b602 Bug #39704: Enable camel- and lowercase for legacy UCR variables
c803f9eb12 Bug #39704: Register and describe missing UCR variables
ea347ff05a Re-apply changes for Bug #39704

Comment 10 Richard Ulmer

2018-06-07 12:44:49 CEST

34f7f9d360 Bug #39704: Merge branch 'rulmer/39704' into 4.3-1

Comment 11 Arvid Requate

2018-06-15 14:51:43 CEST

Created attachment 9559 [details]
bug39704_qa.patch

Ok, looks good, I'd just suggest this change in wording to clarify the purpose of the message.

Comment 12 Richard Ulmer

2018-06-15 15:07:32 CEST

OK, I've applied the patch.

univention-base-files (7.0.0-16)
bd3cf76dada0 | Bug #39704: Improve some wording
482b0e739ff7 | Bug #39704: Update yaml file

Comment 13 Arvid Requate

2018-06-15 15:16:08 CEST

Ok, thanks, looks good and works.

Comment 14 Arvid Requate

2018-06-26 16:06:54 CEST

*** Bug 28195 has been marked as a duplicate of this bug. ***

Comment 15 Erik Damrose

2018-06-27 14:37:20 CEST

<http://errata.software-univention.de/ucs/4.3/122.html>