Univention Bugzilla – Bug 46033
SSH template needs update
Last modified: 2018-03-14 14:38:01 CET
rexec line 16: Deprecated option KeyRegenerationInterval rexec line 21: Deprecated option RSAAuthentication rexec line 24: Deprecated option RhostsRSAAuthentication
fdefd0bb15 Bug #46033 base: Update sshd_config Package: univention-base-files Version: 7.0.0-5A~4.3.0.201801151536 Branch: ucs_4.3-0
Changelog update: 065f63bc468d35c1ba6886f9b052d74c61cfd348 There are more config options changed: root@master431:~# diff -Nur sshd_config_4.2 sshd_config_4.3 --- sshd_config_4.2 2018-01-27 16:03:54.844000000 -0500 +++ sshd_config_4.3 2018-01-27 16:04:04.684000000 -0500 @@ -3,29 +3,14 @@ ClientAliveInterval 60 GSSAPIAuthentication yes GSSAPIKeyExchange yes -HostbasedAuthentication no HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key -IgnoreRhosts yes -KerberosAuthentication no -KerberosTicketCleanup yes -KeyRegenerationInterval 3600 LoginGraceTime 600 -LogLevel INFO PasswordAuthentication no -PermitEmptyPasswords no PermitRootLogin yes Port 22 -PrintLastLog yes PrintMotd no -Protocol 2 -PubkeyAuthentication yes -RhostsRSAAuthentication no -RSAAuthentication yes -StrictModes yes -Subsystem sftp /usr/lib/sftp-server -SyslogFacility AUTH +Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes -UsePrivilegeSeparation yes -X11DisplayOffset 10 X11Forwarding no root@master431:~#
(In reply to Stefan Gohmann from comment #2) > There are more config options changed: So what is the problem here: - do you want those other deprecated option to be listed here at this bug report as well? - do you want me to revert some change? - do you want more the changelog entry to be extended? > root@master431:~# diff -Nur sshd_config_4.2 sshd_config_4.3 see the command at the end to compare the effective difference. > -HostbasedAuthentication no > -IgnoreRhosts yes > -KerberosAuthentication no > -KerberosTicketCleanup yes > -LogLevel INFO > -PermitEmptyPasswords no > -PrintLastLog yes > -PubkeyAuthentication yes > -StrictModes yes > -SyslogFacility AUTH These are the OpenSSH defaults - search for the key with '#' prepended - no need to set them explicitly. > +HostKey /etc/ssh/ssh_host_ed25519_key OpenSSH now also supports ed25519 - the key is created automatically and included in the configuration file if found > -KeyRegenerationInterval 3600 > -RSAAuthentication yes > -RhostsRSAAuthentication no > -Protocol 2 Deprecated as stated in comment 0 and the commit message > -UsePrivilegeSeparation yes The upstream default changed to a more sane default. See ChangeLog. > -Subsystem sftp /usr/lib/sftp-server > +Subsystem sftp /usr/lib/openssh/sftp-server OpenSSH changed the path, so that needs updating. # ls -gGh /usr/lib/sftp-server /usr/lib/openssh/sftp-server -rwxr-xr-x 1 92K Feb 10 2017 /usr/lib/openssh/sftp-server lrwxrwxrwx 1 19 Feb 10 2017 /usr/lib/sftp-server -> openssh/sftp-server > -X11DisplayOffset 10 10 is the default and the previous UCS template code was broken setting the value twice in some cases: $ git show a87efc2bb9 | grep -ni displayoffset 50:X11DisplayOffset 10 63:if configRegistry.get('sshd/xdisplayoffset'): 64: print "X11DisplayOffset %s" % configRegistry['sshd/xdisplayoffset'] ucr filter <sshd_config >sshd_config.430 # diff <(sshd -f /etc/ssh/sshd_config -T) <(sshd -f ./sshd_config.430 -T) 65c65 < subsystem sftp /usr/lib/sftp-server --- > subsystem sftp /usr/lib/openssh/sftp-server
(In reply to Philipp Hahn from comment #3) > (In reply to Stefan Gohmann from comment #2) > > There are more config options changed: > > So what is the problem here: > - do you want those other deprecated option to be listed here at this bug > report as well? > - do you want me to revert some change? > - do you want more the changelog entry to be extended? As I send you via private mail, we have a policy about cleanups. The bug issue and the changelog is about three deprecated options but there are much more changes. If the policy is not what we want, I'll be happy to discuss it. You can either revert your changes or add the changes to the changelog to make the changes transparent for the admins. Both would work for me.
UCS-4.2 shipped with OpenSSH-6.7, UCS-4.3 will ship with OpenSSH-7.4. So there have been seven updates in between, changing lots of minor (and major) details. Start reading their Release notes: <https://www.openssh.com/txt/release-6.8> <https://www.openssh.com/txt/release-6.9> <https://www.openssh.com/txt/release-7.0> <https://www.openssh.com/txt/release-7.1> <https://www.openssh.com/txt/release-7.2> <https://www.openssh.com/txt/release-7.3> <https://www.openssh.com/txt/release-7.4> To my knowledge we do not include all those foreign release notes into our UCS release note document, but "hide" it under "UCS X.Y has updated to Debian Z". So there already are lots of hidden changes. In most cases we as Univention get away being "lazy / short on resources" and do not need to update each UCR template (for UCS-4.2 many UCR template were NOT updated, so we already accumulated a large back-log there). In the case with OpenSSH we now (thankfully) get the warning, that we still use deprecated options. You should take that as a hint that the template *must* be updated now. - we can either do it the lazy way and just remove those options - or we can spent the extra time and review our previous settings With OpenSSL you should be very careful as you can easily break the security model by diverting from the defaults: Upstream usually knows better and picks safe defaults, so UCS should only pick different setting *if we really need to*. So I reviewed every setting only to find out, that even explicitly set, they were the implicit defaults! Expect one case "UsePrivilegeSeparation", were upstream changed the default for good reason. And that is documented: > The privilege separation mode has been changed to the new default <literal>sandbox</literal> (<u:bug>46033</u:bug>). All other changes were not UCR configurable except those two options regarding the deprecated ssh1 protocol: > The deprecated &ucsUCRV;s <envar>sshd/Protocol</envar> and <envar>sshd/ServerKeyBits</envar> have been removed. All other changes are not user visible and were subsumed under: > The &ucsUCR; template file for <package>openssh</package> has been updated: Nevertheless I extended the changelog entry to include some (important) upstream changes: d030ac8c8d Bug #46033: OpenSSH changes Hopefully that clarifies the issue with openssh.
OK, changelog looks good now.
UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug".