#994001 openssh-server: Almost locked out due #990456

Package:
openssh-server
Source:
openssh
Description:
secure shell (SSH) server, for secure access from remote machines
Submitter:
Aristeu Rozanski
Date:
2021-09-09 18:27:07 UTC
Severity:
important
#994001#5
Date:
2021-09-09 15:08:05 UTC
From:
To:
Dear Maintainer,

I have a user named Rufus Obrien O'Rourke and he can't use the defined
username (according to our rules) 'root' but it already comes defined when
I install the system. Please rename them to something like '_root' please.

Jokes aside, I had 'ssh' group defined for a good while as to be used as
group of people allowed to ssh in the machine (AllowGroup, root login is
disabled) and a recent upgrade, probably due #990456, that group got renamed
as '_ssh' and I wasn't able to login anymore. Thankfully I had a session open
since before the change and was able to figure out what was going on.

Please change the upgrade script to check if the group ssh already contains
users before doing the change.

#994001#10
Date:
2021-09-09 16:23:29 UTC
From:
To:
We can add some kind of check that would fail the installation in this
situation, but please migrate to using some other site-specific group
for this ASAP.  The ssh/_ssh group is an internal implementation detail
used only to ensure that private key material cannot be extracted from
running ssh-agent processes using ptrace(2); it's not intended to have
users added to it.

#994001#15
Date:
2021-09-09 18:14:34 UTC
From:
To:
Done, thanks.