Bug#1127640: systemd disables SSH host key verification for UNIX, vsock, machine connections
Aaron D. Johnson
debbugreporter at fnord.greeley.co.us
Tue Feb 10 21:29:42 GMT 2026
Package: systemd
Version: 259.1-1
Severity: normal
systemd upstream ships a
/usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf file (and a
/etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf symlink to it exists in
the Debian package) that disables clients' checking of SSH server
host keys over AF_UNIX and AF_VSOCK connections. This breaks the SSH
trust-on-first-use (or before first use with ssh-keyscan) security model
for all such connections.
-- Package-specific info:
-- System Information:
Debian Release: forky/sid
APT prefers unreleased
APT policy: (500, 'unreleased'), (500, 'unstable')
Architecture: ppc64
Kernel: Linux 6.1.0-9-powerpc64 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages systemd depends on:
ii libc6 2.42-12
ii libssl3t64 3.5.4-1+b1
ii libsystemd-shared 259.1-1
ii libsystemd0 259.1-1
ii mount 2.41.3-3
Versions of packages systemd recommends:
pn default-dbus-system-bus | dbus-system-bus <none>
pn linux-sysctl-defaults <none>
ii login 1:4.16.0-2+really2.41.3-3
ii ntpsec [time-daemon] 1.2.3+dfsg1-8
pn systemd-cryptsetup <none>
Versions of packages systemd suggests:
pn libtss2-tcti-device0 <none>
pn polkitd <none>
pn systemd-boot <none>
pn systemd-container <none>
pn systemd-homed <none>
pn systemd-repart <none>
pn systemd-resolved <none>
pn systemd-userdbd <none>
Versions of packages systemd is related to:
pn dbus-user-session <none>
pn dracut <none>
ii initramfs-tools 0.150
pn libnss-systemd <none>
pn libpam-systemd <none>
ii udev 259.1-1
-- no debconf information
-------------- next part --------------
[OVERRIDDEN] /usr/lib/systemd/system/user at .service.d/10-login-barrier.conf -> /usr/lib/systemd/system/user at 0.service.d/10-login-barrier.conf
--- /usr/lib/systemd/system/user at 0.service.d/10-login-barrier.conf 2026-02-06 14:34:41.000000000 +0000
+++ /usr/lib/systemd/system/user at .service.d/10-login-barrier.conf 2026-02-06 14:34:41.000000000 +0000
@@ -7,6 +7,8 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
-# Empty file to mask its counterpart for unprivileged users and thus cancels
-# "After=systemd-user-session.service" ordering constraint so that root can log
-# in even if the boot process is not yet finished.
+[Unit]
+# Make sure user instances are started after logins are allowed. However this
+# is not desirable for user at 0.service since root should be able to log in
+# earlier during the boot process especially if something goes wrong.
+After=systemd-user-sessions.service
[EXTENDED] /usr/lib/systemd/system/rc-local.service -> /usr/lib/systemd/system/rc-local.service.d/debian.conf
[EXTENDED] /usr/lib/systemd/system/systemd-fsck-root.service -> /usr/lib/systemd/system/systemd-fsck-root.service.d/10-skip-fsck-initramfs.conf
[EXTENDED] /usr/lib/systemd/system/systemd-localed.service -> /usr/lib/systemd/system/systemd-localed.service.d/x11-keyboard.conf
[EXTENDED] /usr/lib/systemd/system/systemd-logind.service -> /usr/lib/systemd/system/systemd-logind.service.d/dbus.conf
[EXTENDED] /usr/lib/systemd/system/systemd-udevd.service -> /usr/lib/systemd/system/systemd-udevd.service.d/syscall-architecture.conf
[EXTENDED] /usr/lib/systemd/system/user at .service -> /usr/lib/systemd/system/user at .service.d/10-login-barrier.conf
7 overridden configuration files found.
-------------- next part --------------
Failed to connect to system scope bus via local transport: No such file or directory
-------------- next part --------------
Failed to connect to system scope bus via local transport: No such file or directory
-------------- next part --------------
==> /var/lib/systemd/deb-systemd-helper-enabled/apt-daily.timer.dsh-also <==
/etc/systemd/system/timers.target.wants/apt-daily.timer
==> /var/lib/systemd/deb-systemd-helper-enabled/lvm2-monitor.service.dsh-also <==
/etc/systemd/system/sysinit.target.wants/lvm2-monitor.service
==> /var/lib/systemd/deb-systemd-helper-enabled/systemd-networkd.service.dsh-also <==
/etc/systemd/system/sockets.target.wants/systemd-networkd.socket
/etc/systemd/system/sockets.target.wants/systemd-networkd-varlink.socket
/etc/systemd/system/sockets.target.wants/systemd-networkd-resolve-hook.socket
/etc/systemd/system/dbus-org.freedesktop.network1.service
/etc/systemd/system/sysinit.target.wants/systemd-network-generator.service
/etc/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service
/etc/systemd/system/multi-user.target.wants/systemd-networkd.service
==> /var/lib/systemd/deb-systemd-helper-enabled/mdmonitor-oneshot.timer.dsh-also <==
/etc/systemd/system/mdmonitor.service.wants/mdmonitor-oneshot.timer
==> /var/lib/systemd/deb-systemd-helper-enabled/cron.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/cron.service
==> /var/lib/systemd/deb-systemd-helper-enabled/systemd-udev-load-credentials.service.dsh-also <==
/etc/systemd/system/sysinit.target.wants/systemd-udev-load-credentials.service
==> /var/lib/systemd/deb-systemd-helper-enabled/ssh.socket.wants/sshd-keygen.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/blk-availability.service.dsh-also <==
/etc/systemd/system/sysinit.target.wants/blk-availability.service
==> /var/lib/systemd/deb-systemd-helper-enabled/ntpsec-systemd-netif.path.dsh-also <==
/etc/systemd/system/network-pre.target.wants/ntpsec-systemd-netif.path
==> /var/lib/systemd/deb-systemd-helper-enabled/sysinit.target.wants/blk-availability.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/sysinit.target.wants/mdadm-shutdown.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/sysinit.target.wants/lvm2-lvmpolld.socket <==
==> /var/lib/systemd/deb-systemd-helper-enabled/sysinit.target.wants/lvm2-monitor.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/ntpd.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/networking.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/networking.service
/etc/systemd/system/network-online.target.wants/networking.service
==> /var/lib/systemd/deb-systemd-helper-enabled/mdcheck_start.timer.dsh-also <==
/etc/systemd/system/mdmonitor.service.wants/mdcheck_continue.timer
/etc/systemd/system/mdmonitor.service.wants/mdcheck_start.timer
==> /var/lib/systemd/deb-systemd-helper-enabled/ssh.socket.dsh-also <==
/etc/systemd/system/sockets.target.wants/ssh.socket
==> /var/lib/systemd/deb-systemd-helper-enabled/dm-event.socket.dsh-also <==
/etc/systemd/system/sockets.target.wants/dm-event.socket
==> /var/lib/systemd/deb-systemd-helper-enabled/logrotate.timer.dsh-also <==
/etc/systemd/system/timers.target.wants/logrotate.timer
==> /var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/logrotate.timer <==
==> /var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/ntpsec-rotate-stats.timer <==
==> /var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/e2scrub_all.timer <==
==> /var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/apt-daily.timer <==
==> /var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/apt-daily-upgrade.timer <==
==> /var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/fstrim.timer <==
==> /var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/man-db.timer <==
==> /var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/dpkg-db-backup.timer <==
==> /var/lib/systemd/deb-systemd-helper-enabled/lvm2-lvmpolld.socket.dsh-also <==
/etc/systemd/system/sysinit.target.wants/lvm2-lvmpolld.socket
==> /var/lib/systemd/deb-systemd-helper-enabled/ifupdown-wait-online.service.dsh-also <==
/etc/systemd/system/network-online.target.wants/ifupdown-wait-online.service
==> /var/lib/systemd/deb-systemd-helper-enabled/network-online.target.wants/networking.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/ntpsec-rotate-stats.timer.dsh-also <==
/etc/systemd/system/timers.target.wants/ntpsec-rotate-stats.timer
==> /var/lib/systemd/deb-systemd-helper-enabled/mdmonitor.service.wants/mdcheck_continue.timer <==
==> /var/lib/systemd/deb-systemd-helper-enabled/mdmonitor.service.wants/mdmonitor-oneshot.timer <==
==> /var/lib/systemd/deb-systemd-helper-enabled/mdmonitor.service.wants/mdcheck_start.timer <==
==> /var/lib/systemd/deb-systemd-helper-enabled/dpkg-db-backup.timer.dsh-also <==
/etc/systemd/system/timers.target.wants/dpkg-db-backup.timer
==> /var/lib/systemd/deb-systemd-helper-enabled/ssh.service.wants/sshd-keygen.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/sshd-keygen.service.dsh-also <==
/etc/systemd/system/ssh.service.wants/sshd-keygen.service
/etc/systemd/system/sshd.service.wants/sshd-keygen.service
/etc/systemd/system/sshd at .service.wants/sshd-keygen.service
/etc/systemd/system/ssh.socket.wants/sshd-keygen.service
==> /var/lib/systemd/deb-systemd-helper-enabled/sshd.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/man-db.timer.dsh-also <==
/etc/systemd/system/timers.target.wants/man-db.timer
==> /var/lib/systemd/deb-systemd-helper-enabled/ntpsec.service.dsh-also <==
/etc/systemd/system/ntp.service
/etc/systemd/system/ntpd.service
/etc/systemd/system/multi-user.target.wants/ntpsec.service
==> /var/lib/systemd/deb-systemd-helper-enabled/fstrim.timer.dsh-also <==
/etc/systemd/system/timers.target.wants/fstrim.timer
==> /var/lib/systemd/deb-systemd-helper-enabled/ntp.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/sshd.service.wants/sshd-keygen.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/smartmontools.service.dsh-also <==
/etc/systemd/system/smartd.service
/etc/systemd/system/multi-user.target.wants/smartmontools.service
==> /var/lib/systemd/deb-systemd-helper-enabled/e2scrub_reap.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/e2scrub_reap.service
==> /var/lib/systemd/deb-systemd-helper-enabled/mdadm-shutdown.service.dsh-also <==
/etc/systemd/system/sysinit.target.wants/mdadm-shutdown.service
==> /var/lib/systemd/deb-systemd-helper-enabled/sshd at .service.wants/sshd-keygen.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/network-pre.target.wants/ntpsec-systemd-netif.path <==
==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/ntpsec.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/networking.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/cron.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/e2scrub_reap.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/ssh.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/smartmontools.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/e2scrub_all.timer.dsh-also <==
/etc/systemd/system/timers.target.wants/e2scrub_all.timer
==> /var/lib/systemd/deb-systemd-helper-enabled/mdcheck_continue.timer.dsh-also <==
/etc/systemd/system/mdmonitor.service.wants/mdcheck_continue.timer
==> /var/lib/systemd/deb-systemd-helper-enabled/smartd.service <==
==> /var/lib/systemd/deb-systemd-helper-enabled/ssh.service.dsh-also <==
/etc/systemd/system/sshd.service
/etc/systemd/system/multi-user.target.wants/ssh.service
==> /var/lib/systemd/deb-systemd-helper-enabled/apt-daily-upgrade.timer.dsh-also <==
/etc/systemd/system/timers.target.wants/apt-daily-upgrade.timer
==> /var/lib/systemd/deb-systemd-helper-enabled/sockets.target.wants/dm-event.socket <==
==> /var/lib/systemd/deb-systemd-helper-enabled/nftables.service.dsh-also <==
/etc/systemd/system/sysinit.target.wants/nftables.service
-------------- next part --------------
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/vg00-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/md127 during installation
UUID=b9cc43d7-e381-4c11-9a21-6beb7d32b6a7 /boot ext4 defaults 0 2
/dev/mapper/vg00-home /home ext4 defaults 0 2
/dev/mapper/vg00-opt /opt ext4 defaults 0 2
/dev/mapper/vg00-tmp /tmp ext4 defaults 0 2
/dev/mapper/vg00-var /var ext4 defaults 0 2
/dev/mapper/vg00-swap none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
More information about the Pkg-systemd-maintainers
mailing list