Bug 2315252

Summary: update for openssh 9.8
Product: [Fedora] Fedora Reporter: Dan Horák <dan>
Component: fail2banAssignee: Richard Shaw <hobbes1069>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 41CC: anon.amish, goeran, hobbes1069, orion, spener
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: fail2ban-1.1.0-4.fc40 fail2ban-1.1.0-4.fc41 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-10-08 01:38:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Boot log from 6.11.0-debug none

Description Dan Horák 2024-09-27 14:44:27 UTC 
Seems the fail2ban package needs an update to adapt to the changes that were introduced in openssh 9.8. Please see https://github.com/fail2ban/fail2ban/pull/3782 for the changes.

Reproducible: Always
Comment 1 chrismaster 2024-09-27 20:27:15 UTC 
*** Bug 2315367 has been marked as a duplicate of this bug. ***
Comment 2 Fedora Update System 2024-09-29 13:53:28 UTC 
FEDORA-2024-9c06275445 (fail2ban-1.1.0-4.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-9c06275445
Comment 3 Fedora Update System 2024-09-29 13:53:29 UTC 
FEDORA-2024-a5f64b06b2 (fail2ban-1.1.0-4.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-a5f64b06b2
Comment 4 Fedora Update System 2024-09-30 02:23:18 UTC 
FEDORA-2024-9c06275445 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-9c06275445`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-9c06275445

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2024-09-30 02:24:28 UTC 
FEDORA-2024-a5f64b06b2 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-a5f64b06b2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-a5f64b06b2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Richard Shaw 2024-09-30 23:23:37 UTC 
Created attachment 2049687 [details]
Boot log from 6.11.0-debug

Filesystem was clean prior to booting 6.11.0-debug. Boot did not complete and locked up while still starting bootup services.
Comment 7 Richard Shaw 2024-09-30 23:24:30 UTC 
Comment on attachment 2049687 [details]
Boot log from 6.11.0-debug

Wrong bug.
Comment 8 Göran Uddeborg 2024-10-05 16:47:15 UTC 
It seems to me this update is not enough. The "journalmatch" expression in sshd.conf doesn't catch sessions with the new name. I worked around that by adding 

 + _COMM=sshd-session

to the other patterns. (With a "filter" line in jail.conf.)

To be precise, this is how a record from the journal might look. It won't match with the original journal "matches".

Sat 2024-10-05 18:44:40.403379 CEST [s=da69e653c4404dbaa83d8c46ce8dd0d1;i=689b400;b=846b16b360ff4fb78aebc9beaa79f881;m=46e3721af57;t=623bd81015680;x=dee65ca45d98a4fc]
    _UID=0
    _SELINUX_CONTEXT=system_u:system_r:sshd_t:s0-s0:c0.c1023
    _BOOT_ID=846b16b360ff4fb78aebc9beaa79f881
    _MACHINE_ID=606ba17eef1ffa5a76fdb50047756efd
    _HOSTNAME=mimmi
    _RUNTIME_SCOPE=system
    _TRANSPORT=syslog
    PRIORITY=6
    SYSLOG_FACILITY=10
    SYSLOG_IDENTIFIER=sshd-session
    _GID=0
    _CAP_EFFECTIVE=1ffffffffff
    _SYSTEMD_SLICE=system-sshd.slice
    _COMM=sshd-session
    _EXE=/usr/libexec/openssh/sshd-session
    _CMDLINE="sshd-session: [accepted]"
    _PID=3633286
    _SYSTEMD_CGROUP=/system.slice/system-sshd.slice/sshd.125.225:22-2.80.45.73:54419.service
    _SYSTEMD_UNIT=sshd.125.225:22-2.80.45.73:54419.service
    _SYSTEMD_INVOCATION_ID=f3c29febc4144838b0024d47f74e8155
    SYSLOG_PID=3633286
    SYSLOG_TIMESTAMP=Oct  5 18:44:40 
    MESSAGE=Invalid user hcy from 2.80.45.73 port 54419
    _SOURCE_REALTIME_TIMESTAMP=1728146680403379
Comment 9 Dan Horák 2024-10-06 13:14:12 UTC 
I believe you are right and we need also https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4
Comment 10 Fedora Update System 2024-10-08 01:38:19 UTC 
FEDORA-2024-9c06275445 (fail2ban-1.1.0-4.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Richard Shaw 2024-10-08 02:00:17 UTC 
Thanks Dan. I just got back from vacation and was able to take a look.
Comment 12 Fedora Update System 2024-10-08 02:02:19 UTC 
FEDORA-2024-a5f64b06b2 (fail2ban-1.1.0-4.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.