CVE-2023-5616: if sshd is enabled but socket-activated, control-center will say it's disabled
Originally reported to Ubuntu by Zygmunt Krynicki in https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/2039577. This is being treated as a security issue by Ubuntu, but I don't see any sign of it having been forwarded upstream before making the Launchpad bug public, so I'm opening this issue report now to fill in that gap. CVE-2023-5616 was assigned for this (presumably by Ubuntu, but I don't know that for sure).
I am not an Ubuntu developer or contributor, and their handling of this issue was not my choice.
Original report:
GNOME control center offers a way to disable or enable remote shell (ssh) connections.
This functionality is outsourced to /usr/libexec/cc-remote-login-helper which starts
and stops the systemd service ssh.service using the code:
if (!cc_disable_service (SSHD_SERVICE, G_BUS_TYPE_SYSTEM, &error))
...
if (!cc_enable_service (SSHD_SERVICE, G_BUS_TYPE_SYSTEM, &error))
The irony is that ssh.service is socket activated:
zyga@x240:~$ systemctl status ssh.service
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
Drop-In: /etc/systemd/system/ssh.service.d
└─00-socket.conf
Active: active (running) since Tue 2023-10-17 16:40:04 CEST; 21s ago
TriggeredBy: ● ssh.socket
Docs: man:sshd(8)
man:sshd_config(5)
Process: 7055 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 7056 (sshd)
Tasks: 1 (limit: 9305)
Memory: 1.4M
CPU: 21ms
CGroup: /system.slice/ssh.service
└─7056 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
paź 17 16:40:04 x240 systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
paź 17 16:40:04 x240 sshd[7056]: Server listening on :: port 22.
paź 17 16:40:04 x240 systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
In effect, it will always activate again whenever someone attempts to connect.
This bug is a security vulnerability, as users may be prone to attacks while
thinking remote shell is disabled.
I would suggest to *mask* the service, so that it cannot be socket activated.
I suspect that the Ubuntu developers may have thought this was an Ubuntu-specific issue because their default is to use socket activation via ssh.socket
; but there would be nothing to stop unrelated distributions like Arch or Fedora from using a similar setup with ssh.socket
or sshd.socket
(I don't know whether any of them do), so I think this is a valid issue report for upstream as well.
Ubuntu has used a socket-activated ssh.socket
since 23.04. Debian has not followed Ubuntu in this, and still uses an ordinary ("eagerly" started) ssh.service
by default, but it does provide documentation for how ssh.socket
can be used as a non-default option.