[Bug 3706] New: Support upgrading sshd without restarting the server
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Jul 3 14:11:11 AEST 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3706
Bug ID: 3706
Summary: Support upgrading sshd without restarting the server
Product: Portable OpenSSH
Version: -current
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: gmveqfhbronz.anqzf_ at noclue.notk.org
Upgrading sshd-portable from 9.7p1 or earlier to 9.8p1 changes how sshd
handles new sessions: sshd used to re-exec `sshd -R` and now execs into
`sshd-session -R`
This binary separation is very welcome and reduces attack surface, but
some distros do not restart services on upgrades, so users can get
locked out after upgrade:
- alpine
https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/68482#note_417613
- arch
https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/
//
https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/issues/5
- (gentoo apparently used not to restart but now does, so that's a
non-issue)
This was also known during devlopment but I assume that was not
considered a problem because openssh would get restarted on normal
upgrades in OpenBSD as well:
https://github.com/openssh/openssh-portable/commit/03e3de416ed7c34faeb692967737be4a7bbe2eb5
> NB. if you're updating via source, please restart sshd after installing,
> otherwise you run the risk of locking yourself out.
In theory it'd be possible for the new sshd to handle -R as "oh I was
run from an old version, let's re-exec sshd-session again" and do
whatever is needed here, without including the sshd-session code into
the sshd binary.
In practice I tried and it's not just re-exec, we need to setup file
descriptors properly and whatever else older versions weren't doing the
same way, I'm not sure the new sshd can even tell which version it was
re-excuted from in the first place so that setup might not even be
possible...
So this bz is double:
- Can you think of a way to do handle just exactly +1 version upgrade
(9.7p1 -> 9.8p1) more smoothly? Some systems might not be rebooted in
ages and if we allow upgrades without restarts there will always be
someone who keeps a very old sshd acceptor daemon running, but if we
keep things up to date and print a warning when the listener isn't
current that should be minimal enough.
- Could we try to keep the architecture in a way that allows this again
in the future, or is that not worth the effort for you?
(That means somewhat standardizing what sshd-session -R expects from
sshd for the session hand-off)
Thank you!
(meta: There's no version 9.8p1 in the bug tracker yet so selected
-current)
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list