The latest openssh eats existing /etc/ssh/ssh*config on some machines. Plus other problems. I update daily, the hosts are a mix of amd64, arm, arm64, both stable and unstable. Desktop and server. The sequence of events updating, which vary from host to host. So not all issues occured on all hosts. 1. emerge refuses to update openssh w/o OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes This is aood because normally Gentoo asks me to assert I_KNOW_WHAT_I_AM DOING only when I override Gentoo's preferences, not when changing to comply with Gentoo's preferences. 2. only AFTER emerging new openssh does news article warning me about updating openssh appear. That's right. Only after some hosts are broken, amd I warning something igh break. And no warning of what actually broke on my hosts. IMHO, the new item should appear AFTER the eix-sync, and before the emerge world. Not after the emerge. Maybe a few days or weeks before. The news item should be updated to specifically mention the Transport and Subsystem issues. 3. ssh and sshd stop making new connections because "Transport" is in the ssh*_config files. At least one cycle deprecating "Transport" would have been nice..Since that no longer does anything, a warning, instead of an error, would have been nice. 4. On some hosts, old ssh*_config are overwritten at emerge time, on some etc-update will ask before over-writing. In the later case, no help is offered in moving things from /etc/ssh/ssh*_config to /etc/ssh/ssh*_config.d/ Unclear why some hosts did, and some not. Seems related to Python 3.10 vs. Python 3.11, which would be a product of stable and unstable. 5. after re-arranging config to the new system, removing "Transport", sshd will still not start, due to "Subsystem sftp" not allowing redefinition. There is a line for "Subsystem sftp" in sshd_config. Overriding that in sshd_config.d/ fails. /etc/ssh/sshd_config.d/000local.conf line 8: Subsystem 'sftp' already defined. Removing the "Subsystem sftp: from sshd_config allows sshd to be restarted and ssh works again. After all that, all seems well. Reproducible: Always Steps to Reproduce: 1. emerge -uDNa world 2. 3. Actual Results: broken ssh/sshd
1. wrt OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING: I don't think we can do much about this. The issue being that if someone has sctp/hpn/x509 stuff in their /etc/ssh/sshd_config, they can easily end up with a daemon that's broken if they don't actively consent to it changing. 2. news item showing Yeah, this was a real issue, fixed (because you told me about it) at https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=8a2ba6292647ec521fbf546d6b4c7ed17648ea1a & https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=4d1ca67d4fca1750c90ee3a94375cbbf05d4fd4c. 3/5. Transport config stanzas Yeah, we need to do something about this. 4. CONFIG_PROTECT not working Would you mind filing a separate bug for that? It's likely a Portage issue.
> cannot override Transport config directives in /etc/ssh/sshd_config.d/* I did not say that was a problem. Bad title. I said not override "Subsystem sftp" was a problem.
> Would you mind filing a separate bug for that? It's likely a Portage issue. I do not know if it is or is not. I'm not gonna point fingers until I have a clue. Since I updated, I can not longer run tests.
(In reply to Gary E. Miller from comment #3) > > Would you mind filing a separate bug for that? It's likely a Portage issue. > > I do not know if it is or is not. I'm not gonna point fingers until I have > a clue. Since I updated, I can not longer run tests. Right, but I'm asking for a new bug so I can treat it separately. Different issues in the same bug is confusing. I can triage it differently if it ends up not being one. (In reply to Gary E. Miller from comment #2) > > cannot override Transport config directives in /etc/ssh/sshd_config.d/* > > I did not say that was a problem. Bad title. I said not override > "Subsystem sftp" was a problem. ok
(In reply to Sam James from comment #4) > (In reply to Gary E. Miller from comment #3) > > > Would you mind filing a separate bug for that? It's likely a Portage issue. > > > > I do not know if it is or is not. I'm not gonna point fingers until I have > > a clue. Since I updated, I can not longer run tests. > > Right, but I'm asking for a new bug so I can treat it separately. Different > issues in the same bug is confusing. I can triage it differently if it ends > up not being one. Since eating the config was the bug I put in the title, making it another issue would be confusing. I would have been happy to create another issue for the subsystem thing, but not the main thing that led to this current issue. Since you think you dealt with my other issues in this bug, then eating the configs is the only remaining issue here.
openssh 9.5 has: * sshd(8): allow override of Subsystem directives in sshd Match blocks. which should help here...
Yes, that fixes it. The change was bigger than the release notes implied. Thanks for noticing.
