Ubuntu 22.04 sftp error

[mdsketch]

If this is used with ubuntu 22.04 the sshd_config is placed in the /etc/ssh/sshd_config.d directory. This is fine except that if default options are overridden in this role (for example SFTP server) then the ssh server will fail to start as they still exist in the default config file /etc/ssh/sshd_config.

Deleting the line in /etc/ssh/sshd_config solves the issue.

If this is expected, maybe some documentation could be added, or if unexpected I could help with a fix.

[mdsketch]

Also not assigning the variable in my playbook also solves it, but I would like to be able to continue to use this functionality.

[Jakuje]

Thank you for opening the issue. Can you describe what parameters you used to execute the sshd role? The defaults should be skipped when the drop-in directory is used, but there might be some corner case that I did not capture.

[mdsketch]

Here are the variables I'm using, been working fine for me for the last year:

However I am now realizing it might just be because I have sshd_skip_defaults set to no, and I have been lucky that for ubuntu 20.04 there's no drop in directory so everything was overwritten every time. Not sure let me know.

[Jakuje]

Thank you for checking.

I missed this and as this has indeed separate validate step, it can leave the system in wrong state, which should be fixed somehow.

Right now, we validate the drop-in config file by itself, which works ok, so it is copied into the place. But then we just check the Include directive is in the main configuration file and if it is, no actions are taken including validation of the combination of these files (I think) and it fails only when the service is restarted in the handlers.

Fortunately, it looks like the upstream is planning to fix this behavior: https://bugzilla.mindrot.org/show_bug.cgi?id=3236

Before that, we can probably revert the configuration if it will not work together, but it will require some more custom backup and restore as there is no simple way to do that atomically with default ansible modules.

I will try to propose some changes, but probably not today.

Skip defaults is probably ok, as you have quite extensive configuration, which should cover all you need.

[pescobar]

I am also hitting this problem. It looks like the fix has been applied upstream but I am not sure if it will be backported to ubuntu22.04

openssh/openssh-portable@52dfe3c

[Jakuje]

I am also hitting this problem. It looks like the fix has been applied upstream but I am not sure if it will be backported to ubuntu22.04

openssh/openssh-portable@52dfe3c

It was committed 2 weeks ago and is not in any released version yet. If you wish to get this fixed in Ubuntu, please open an Ubuntu bug report.

[pescobar]

I am using this workaround

- name: Configure sshd if sshd config is defined
  when: sshd | length > 0
  tags: sshd
  block:

    # https://github.com/willshersystems/ansible-sshd/issues/185
    - name: Remove the default settings for "Subsystem sftp"
      ansible.builtin.replace:
        path: /etc/ssh/sshd_config
        regexp: '^(Subsystem.*)'
        replace: '# \1'

    - name: Add a comment to the default config file to warn that Subsystem must be disabled
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        line: '# Commented out using ansibe. We define the config in /etc/ssh/sshd_config.d/'
        insertbefore: '^(# Subsystem.*)'

    - name: Configure OpenSSH server
      ansible.builtin.import_role:
        name: willshersystems.sshd

and then I can configure the sftp subsystem using this role