Merge ~enr0n/ubuntu/+source/openssh:merge-mantic-lp2025664 into ubuntu/+source/openssh:debian/sid
- Git
- lp:~enr0n/ubuntu/+source/openssh
- merge-mantic-lp2025664
- Merge into debian/sid
Status: | Needs review | ||||
---|---|---|---|---|---|
Proposed branch: | ~enr0n/ubuntu/+source/openssh:merge-mantic-lp2025664 | ||||
Merge into: | ubuntu/+source/openssh:debian/sid | ||||
Diff against target: |
1733 lines (+1122/-112) 31 files modified
debian/README.Debian (+10/-17) debian/changelog (+190/-0) debian/control (+2/-1) debian/openssh-server.postinst (+205/-6) debian/openssh-server.postrm (+4/-0) debian/openssh-server.templates (+12/-0) debian/openssh-server.tmpfile (+2/-0) debian/openssh-server.ucf-md5sum (+24/-0) debian/patches/series (+2/-0) debian/patches/socket-activation-documentation.patch (+50/-0) debian/patches/systemd-socket-activation.patch (+141/-49) debian/patches/test-set-UsePAM-no-on-some-tests.patch (+41/-0) debian/po/cs.po (+26/-1) debian/po/da.po (+26/-1) debian/po/de.po (+26/-1) debian/po/es.po (+26/-1) debian/po/fr.po (+26/-1) debian/po/it.po (+26/-1) debian/po/ja.po (+26/-1) debian/po/nl.po (+26/-1) debian/po/pt.po (+26/-1) debian/po/pt_BR.po (+26/-1) debian/po/ru.po (+28/-3) debian/po/sv.po (+26/-1) debian/po/templates.pot (+27/-2) debian/po/tr.po (+27/-2) debian/rules (+3/-2) debian/systemd/ssh.service (+0/-2) debian/tests/control (+6/-0) debian/tests/systemd-socket-activation (+62/-0) dev/null (+0/-17) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Simon Chopin (community) | Approve | ||
git-ubuntu import | Pending | ||
Review via email:
|
Commit message
Description of the change
autopkgtest:
openssh 1:9.3p1-
openssh 1:9.3p1-
openssh 1:9.3p1-
openssh 1:9.3p1-
openssh 1:9.3p1-
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Nick Rosbrook (enr0n) wrote : | # |
FWIW, I do have a PR on salsa for some of this (https:/
Unmerged commits
- 2f2d354... by Nick Rosbrook
-
update changelog
- 4f2fbae... by Nick Rosbrook
-
update-maintainer
- dc4b77f... by Nick Rosbrook
-
reconstruct-
changelog - 46c8429... by Nick Rosbrook
-
merge-changelogs
- 6307fd2... by Nick Rosbrook
-
* debian/rules: Do not stop ssh.socket on upgrade
- 16e07b1... by Nick Rosbrook
-
* debian/
tests/systemd- socket- activation: Reboot the testbed before starting the test - 9635df5... by Nick Rosbrook
-
* debian/
openssh- server. postint:
- When upgrading from affected versions of openssh, do not try to
restart systemd units, and instead indicate that a reboot is required - 505142a... by Nick Rosbrook
-
* d/p/test-
set-UsePAM- no-on-some- tests.patch: set UsePAM=no for some tests - 710a492... by Nick Rosbrook
-
* debian/
tests/systemd- socket- activation: Add autopkgtest for systemd socket
activation functionality. - af2bb70... by Nick Rosbrook
-
* debian/
patches/ systemd- socket- activation. patch: Fix sshd
re-execution behavior when socket activation is used
Preview Diff
1 | diff --git a/debian/.gitignore b/debian/.gitignore |
2 | deleted file mode 100644 |
3 | index 988323b..0000000 |
4 | --- a/debian/.gitignore |
5 | +++ /dev/null |
6 | @@ -1,17 +0,0 @@ |
7 | -/*.debhelper* |
8 | -/*substvars |
9 | -/build-deb |
10 | -/build-udeb |
11 | -/files |
12 | -/keygen-test/key1 |
13 | -/keygen-test/key1.pub |
14 | -/keygen-test/key2 |
15 | -/keygen-test/key2.pub |
16 | -/openssh-client |
17 | -/openssh-client-udeb |
18 | -/openssh-server |
19 | -/openssh-server-udeb |
20 | -/ssh |
21 | -/ssh-askpass-gnome |
22 | -/ssh-krb5 |
23 | -/tmp |
24 | diff --git a/debian/README.Debian b/debian/README.Debian |
25 | index 6aab9cb..8067852 100644 |
26 | --- a/debian/README.Debian |
27 | +++ b/debian/README.Debian |
28 | @@ -184,23 +184,7 @@ this sshd manually on upgrades. |
29 | Socket-based activation with systemd |
30 | ------------------------------------ |
31 | |
32 | -If you want to reconfigure systemd to listen on port 22 itself and launch |
33 | -sshd on connection (systemd-style socket activation), then you can run: |
34 | - |
35 | - systemctl disable --now ssh.service |
36 | - systemctl start ssh.socket |
37 | - |
38 | -To roll back this change, run: |
39 | - |
40 | - systemctl stop ssh.socket |
41 | - systemctl enable --now ssh.service |
42 | - |
43 | -Or if you want to make this change permanent: |
44 | - |
45 | - systemctl enable ssh.socket |
46 | - |
47 | -This may be appropriate in environments where minimal footprint is critical |
48 | -(e.g. cloud guests). |
49 | +By default, socket-based activation is used on systems that use systemd. |
50 | |
51 | The provided ssh.socket unit file sets ListenStream=22. If you need to have |
52 | it listen on a different address or port, then you will need to do this as |
53 | @@ -216,6 +200,15 @@ follows (modifying ListenStream to match your requirements): |
54 | |
55 | See systemd.socket(5) for details. |
56 | |
57 | +If you do not want to use socket activation for ssh on your system, you |
58 | +can disable socket activation by running: |
59 | + |
60 | + systemctl disable --now ssh.socket |
61 | + rm -f /etc/systemd/system/ssh.service.d/00-socket.conf |
62 | + rm -f /etc/systemd/system/ssh.socket.d/addresses.conf |
63 | + systemctl daemon-reload |
64 | + systemctl enable --now ssh.service |
65 | + |
66 | Terminating SSH sessions cleanly on shutdown/reboot with systemd |
67 | ---------------------------------------------------------------- |
68 | |
69 | diff --git a/debian/changelog b/debian/changelog |
70 | index bdaab26..1e4cac3 100644 |
71 | --- a/debian/changelog |
72 | +++ b/debian/changelog |
73 | @@ -1,3 +1,36 @@ |
74 | +openssh (1:9.3p1-1ubuntu1) mantic; urgency=medium |
75 | + |
76 | + * Merge with Debian unstable (LP: #2025664). Remaining changes: |
77 | + - debian/rules: modify dh_installsystemd invocations for |
78 | + socket-activated sshd |
79 | + - debian/openssh-server.postinst: handle migration of sshd_config options |
80 | + to systemd socket options on upgrade. |
81 | + - debian/README.Debian: document systemd socket activation. |
82 | + - debian/patches/socket-activation-documentation.patch: Document in |
83 | + sshd_config(5) that ListenAddress and Port no longer work. |
84 | + - debian/openssh-server.templates: include debconf prompt explaining |
85 | + when migration cannot happen due to multiple ListenAddress values |
86 | + - debian/.gitignore: drop file |
87 | + - debian/openssh-server.postrm: remove systemd drop-ins for |
88 | + socket-activated sshd on purge |
89 | + - debian/openssh-server.ucf-md5sum: update for Ubuntu delta |
90 | + - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move |
91 | + /run/sshd creation out of the systemd unit to a tmpfile config so |
92 | + that sshd can be run manually if necessary without having to create |
93 | + this directory by hand. |
94 | + - debian/patches/systemd-socket-activation.patch: Fix sshd |
95 | + re-execution behavior when socket activation is used |
96 | + - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket |
97 | + activation functionality. |
98 | + - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests |
99 | + - Ensure smooth upgrade path from versions affected by LP: #2020474: |
100 | + + debian/openssh-server.postint: do not try to restart systemd units, |
101 | + and instead indicate that a reboot is required |
102 | + + debian/tests/systemd-socket-activation: Reboot the testbed before starting the test |
103 | + + debian/rules: Do not stop ssh.socket on upgrade |
104 | + |
105 | + -- Nick Rosbrook <nick.rosbrook@canonical.com> Mon, 03 Jul 2023 11:34:47 -0400 |
106 | + |
107 | openssh (1:9.3p1-1) unstable; urgency=medium |
108 | |
109 | * Debconf translations: |
110 | @@ -55,6 +88,64 @@ openssh (1:9.3p1-1) unstable; urgency=medium |
111 | |
112 | -- Colin Watson <cjwatson@debian.org> Tue, 20 Jun 2023 01:01:48 +0100 |
113 | |
114 | +openssh (1:9.2p1-2ubuntu3) mantic; urgency=medium |
115 | + |
116 | + * Fix upgrade of openssh-server with active ssh session (LP: #2020474) |
117 | + - debian/patches/systemd-socket-activation.patch: |
118 | + + Do force closing of listen sockets in child process |
119 | + + Set rexec_flag = 0 when sshd is socket-activated so that child process |
120 | + does not re-exec |
121 | + - debian/openssh-server.postint: |
122 | + + When upgrading from affected versions of openssh, do not try to |
123 | + restart systemd units, and instead indicate that a reboot is required |
124 | + - debian/tests/systemd-socket-activation: |
125 | + + Reboot the testbed before starting the test |
126 | + - debian/rules: |
127 | + + Do not stop ssh.socket on upgrade |
128 | + * d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests |
129 | + |
130 | + -- Nick Rosbrook <nick.rosbrook@canonical.com> Wed, 24 May 2023 18:02:11 -0400 |
131 | + |
132 | +openssh (1:9.2p1-2ubuntu2) mantic; urgency=medium |
133 | + |
134 | + * debian/README.Debian: Fix path of addresses.conf drop-in |
135 | + |
136 | + -- Nick Rosbrook <nick.rosbrook@canonical.com> Tue, 23 May 2023 10:50:35 -0400 |
137 | + |
138 | +openssh (1:9.2p1-2ubuntu1) mantic; urgency=medium |
139 | + |
140 | + * Merge with Debian unstable (LP: #2018094). Remaining changes: |
141 | + - debian/rules: modify dh_installsystemd invocations for |
142 | + socket-activated sshd |
143 | + - debian/openssh-server.postinst: handle migration of sshd_config options |
144 | + to systemd socket options on upgrade. |
145 | + - debian/README.Debian: document systemd socket activation. |
146 | + - debian/patches/socket-activation-documentation.patch: Document in |
147 | + sshd_config(5) that ListenAddress and Port no longer work. |
148 | + - debian/openssh-server.templates: include debconf prompt explaining |
149 | + when migration cannot happen due to multiple ListenAddress values |
150 | + - debian/.gitignore: drop file |
151 | + - debian/openssh-server.postrm: remove systemd drop-ins for |
152 | + socket-activated sshd on purge |
153 | + - debian/openssh-server.ucf-md5sum: Update list of stock sshd_config |
154 | + checksums to include those from jammy and kinetic. |
155 | + - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move |
156 | + /run/sshd creation out of the systemd unit to a tmpfile config so |
157 | + that sshd can be run manually if necessary without having to create |
158 | + this directory by hand. |
159 | + - debian/patches/systemd-socket-activation.patch: Fix sshd |
160 | + re-execution behavior when socket activation is used |
161 | + - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket |
162 | + activation functionality. |
163 | + * Dropped changes, included in Debian: |
164 | + - debian/patches/systemd-socket-activation.patch: Initial implementation |
165 | + * New changes: |
166 | + - debian/README.Debian: mention drop-in configurations in instructions |
167 | + for disabling sshd socket activation (LP: #2017434). |
168 | + - debian/openssh-server.ucf-md5sum: update for Ubuntu delta |
169 | + |
170 | + -- Nick Rosbrook <nick.rosbrook@canonical.com> Fri, 19 May 2023 15:18:17 -0400 |
171 | + |
172 | openssh (1:9.2p1-2) unstable; urgency=medium |
173 | |
174 | * Fix mistakenly-unreleased entry for 1:9.2p1-1 in debian/NEWS. |
175 | @@ -306,6 +397,105 @@ openssh (1:9.1p1-1) unstable; urgency=medium |
176 | |
177 | -- Colin Watson <cjwatson@debian.org> Mon, 14 Nov 2022 16:25:45 +0000 |
178 | |
179 | +openssh (1:9.0p1-1ubuntu8.1) lunar; urgency=medium |
180 | + |
181 | + * debian/patches/systemd-socket-activation.patch: Fix re-execution behavior |
182 | + (LP: #2011458): |
183 | + - Remove FD_CLOEXEC on fds passed by systemd to prevent automatic closing |
184 | + when sshd re-executes. |
185 | + - Do not manually close fds passed by systemd when re-executing. |
186 | + - Only call sd_listen_fds() once, and only in the parent process. |
187 | + - Check the LISTEN_FDS environment variable to get the number of fds |
188 | + passed by systemd when re-executing as a child process. |
189 | + * debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket |
190 | + activation functionality. |
191 | + |
192 | + -- Nick Rosbrook <nick.rosbrook@canonical.com> Fri, 31 Mar 2023 12:44:32 -0400 |
193 | + |
194 | +openssh (1:9.0p1-1ubuntu8) lunar; urgency=medium |
195 | + |
196 | + * debian/openssh-server.postinst: Fix handling of ListenAddress when a port |
197 | + is specified (LP: #1993478): |
198 | + - Strip port before converting hostnames to numerical addresses. |
199 | + - Only append ports when the ListenAddress does not already specify a |
200 | + port. |
201 | + - Revert socket migration on upgrade if a previous version did the |
202 | + migration when it should not have. |
203 | + * debian/openssh-server.postinst: Ignore empty directory failure from rmdir |
204 | + when skipping socket migration (LP: #1995294). |
205 | + |
206 | + -- Nick Rosbrook <nick.rosbrook@canonical.com> Tue, 25 Oct 2022 11:57:43 -0400 |
207 | + |
208 | +openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium |
209 | + |
210 | + * Update list of stock sshd_config checksums to include those from |
211 | + jammy and kinetic. |
212 | + * Add a workaround for LP: #1990863 (now fixed in livecd-rootfs) to |
213 | + avoid spurious ucf prompts on upgrade. |
214 | + * Move /run/sshd creation out of the systemd unit to a tmpfile config |
215 | + so that sshd can be run manually if necessary without having to create |
216 | + this directory by hand. LP: #1991283. |
217 | + |
218 | + [ Nick Rosbrook ] |
219 | + * debian/openssh-server.postinst: Fix addresses.conf generation when only |
220 | + non-default Port is used in /etc/ssh/sshd_config (LP: #1991199). |
221 | + |
222 | + -- Steve Langasek <vorlon@debian.org> Mon, 26 Sep 2022 21:55:14 +0000 |
223 | + |
224 | +openssh (1:9.0p1-1ubuntu6) kinetic; urgency=medium |
225 | + |
226 | + * Fix syntax error in postinst :/ |
227 | + |
228 | + -- Steve Langasek <vorlon@debian.org> Fri, 23 Sep 2022 19:51:32 +0000 |
229 | + |
230 | +openssh (1:9.0p1-1ubuntu5) kinetic; urgency=medium |
231 | + |
232 | + * Correctly handle the case of new installs, and correctly apply systemd |
233 | + unit overrides on upgrade from existing kinetic systems. |
234 | + |
235 | + -- Steve Langasek <vorlon@debian.org> Fri, 23 Sep 2022 19:45:18 +0000 |
236 | + |
237 | +openssh (1:9.0p1-1ubuntu4) kinetic; urgency=medium |
238 | + |
239 | + * Don't migrate users to socket activation if multiple ListenAddresses |
240 | + might make sshd unreliable on boot. |
241 | + * Fix regexp bug that prevented proper migration of IPv6 address settings. |
242 | + |
243 | + -- Steve Langasek <vorlon@debian.org> Fri, 23 Sep 2022 19:35:37 +0000 |
244 | + |
245 | +openssh (1:9.0p1-1ubuntu3) kinetic; urgency=medium |
246 | + |
247 | + * Document in the default sshd_config file the changes in behavior |
248 | + triggered by use of socket-based activation. |
249 | + |
250 | + -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 26 Aug 2022 00:40:11 +0000 |
251 | + |
252 | +openssh (1:9.0p1-1ubuntu2) kinetic; urgency=medium |
253 | + |
254 | + * Fix manpage to not claim socket-based activation is the default on |
255 | + Debian! |
256 | + |
257 | + -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 26 Aug 2022 00:21:42 +0000 |
258 | + |
259 | +openssh (1:9.0p1-1ubuntu1) kinetic; urgency=medium |
260 | + |
261 | + * debian/patches/systemd-socket-activation.patch: support systemd |
262 | + socket activation. |
263 | + * debian/systemd/ssh.socket, debian/systemd/ssh.service: use socket |
264 | + activation by default. |
265 | + * debian/rules: rejigger dh_installsystemd invocations so ssh.service and |
266 | + ssh.socket don't fight. |
267 | + * debian/openssh-server.postinst: handle migration of sshd_config options |
268 | + to systemd socket options on upgrade. |
269 | + * debian/README.Debian: document systemd socket activation. |
270 | + * debian/patches/socket-activation-documentation.patch: Document in |
271 | + sshd_config(5) that ListenAddress and Port no longer work. |
272 | + * debian/openssh-server.templates, debian/openssh-server.postinst: include |
273 | + debconf warning about possible service failure with multiple |
274 | + ListenAddress settings. |
275 | + |
276 | + -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 19 Aug 2022 20:43:16 +0000 |
277 | + |
278 | openssh (1:9.0p1-1) unstable; urgency=medium |
279 | |
280 | * New upstream release (https://www.openssh.com/releasenotes.html#9.0p1): |
281 | diff --git a/debian/control b/debian/control |
282 | index f3ed979..aa9cc2e 100644 |
283 | --- a/debian/control |
284 | +++ b/debian/control |
285 | @@ -1,7 +1,8 @@ |
286 | Source: openssh |
287 | Section: net |
288 | Priority: standard |
289 | -Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> |
290 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
291 | +XSBC-Original-Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> |
292 | Build-Depends: debhelper (>= 13.1~), |
293 | debhelper-compat (= 13), |
294 | dh-exec, |
295 | diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst |
296 | index 4114d35..cc70316 100644 |
297 | --- a/debian/openssh-server.postinst |
298 | +++ b/debian/openssh-server.postinst |
299 | @@ -17,6 +17,87 @@ get_config_option() { |
300 | /usr/sbin/sshd -G | sed -n "s/^$option //Ip" |
301 | } |
302 | |
303 | +get_config_option_all() { |
304 | + option="$1" |
305 | + file="$2" |
306 | + |
307 | + if [ -z "$file" ]; then |
308 | + file=/etc/ssh/sshd_config |
309 | + fi |
310 | + |
311 | + [ -f "$file" ] || return 0 |
312 | + # ListenAddress and Port only take a single word argument so anything |
313 | + # after this must be a comment |
314 | + while read option2 value junk; do |
315 | + case $option2 in |
316 | + $option) |
317 | + echo $value |
318 | + ;; |
319 | + Include) |
320 | + # globs |
321 | + for f in $value; do |
322 | + get_config_option_all "$option" "$f" |
323 | + done |
324 | + ;; |
325 | + esac |
326 | + done < $file |
327 | +} |
328 | + |
329 | +hostnames_to_addresses() { |
330 | + addresses="$1" |
331 | + for address in $addresses; do |
332 | + address_no_port="$(address_strip_port $address)" |
333 | + if echo "$address_no_port" | grep -q '^[0-9a-f:]\+$\|^[0-9.]\+$'; then |
334 | + numeric_addresses="$numeric_addresses $address" |
335 | + else |
336 | + new_addresses=$( (getent ahostsv4 $address_no_port; |
337 | + getent ahostsv6 $address_no_port) \ |
338 | + | awk '$1 ~ /^::ffff:/ || $2 != "STREAM" { next; } |
339 | + $1 ~ /:/ { print "[" $1 "]"; next; } |
340 | + { print $1 }' \ |
341 | + | sort -u) |
342 | + port="$(port_from_address $address)" |
343 | + if [ -n "$port" ]; then |
344 | + new_addresses="$(for addr in $new_addresses; do echo $addr:$port; done)" |
345 | + fi |
346 | + numeric_addresses="$numeric_addresses $new_addresses" |
347 | + fi |
348 | + done |
349 | + echo "$numeric_addresses" |
350 | +} |
351 | + |
352 | +port_from_address() { |
353 | + address="$1" |
354 | + if echo $address | grep -q '^\[[0-9a-f:]*\]:'; then |
355 | + # This is an IPv6 address with a port. |
356 | + port="$(echo $address | awk -F':' '{print $NF}')" |
357 | + elif echo $address | grep -q '^\[[0-9a-f:]*\]\+$\|^[0-9a-f:]\+$'; then |
358 | + # This is an IPv6 address without a port. |
359 | + port="" |
360 | + else |
361 | + # This is an IPv4 address or hostname, where the port |
362 | + # may or may not be specified. |
363 | + port="$(echo $address | awk -F':' '{print $2}')" |
364 | + fi |
365 | + echo "$port" |
366 | +} |
367 | + |
368 | +address_strip_port() { |
369 | + address="$1" |
370 | + if echo $address | grep -q '^\[[0-9a-f:]*\]\(:\|$\)'; then |
371 | + # This is an IPv6 address in brackets, with or without a port. |
372 | + address_no_port="$(echo $address | awk -F '[][]' '{print $2}')" |
373 | + elif echo $address | grep -q '^[0-9a-f:]\+$'; then |
374 | + # This is an IPv6 address with no brackets and no port. |
375 | + address_no_port="$address" |
376 | + else |
377 | + # This is an IPv4 address or hostname, where the port |
378 | + # may or may not be specified. |
379 | + address_no_port="$(echo $address | awk -F':' '{print $1}')" |
380 | + fi |
381 | + echo "$address_no_port" |
382 | +} |
383 | + |
384 | |
385 | create_key() { |
386 | msg="$1" |
387 | @@ -54,15 +135,20 @@ create_keys() { |
388 | |
389 | |
390 | new_config= |
391 | +workaround= |
392 | |
393 | cleanup() { |
394 | if [ "$new_config" ]; then |
395 | rm -f "$new_config" |
396 | fi |
397 | + if [ "$workaround" ]; then |
398 | + rm -f "$workaround" |
399 | + fi |
400 | } |
401 | |
402 | |
403 | create_sshdconfig() { |
404 | + prev_ver="$1" |
405 | # XXX cjwatson 2016-12-24: This debconf template is very confusingly |
406 | # named; its description is "Disable SSH password authentication for |
407 | # root?", so true -> prohibit-password (the upstream default), |
408 | @@ -84,6 +170,21 @@ create_sshdconfig() { |
409 | "$new_config" |
410 | fi |
411 | mkdir -pZ /etc/ssh |
412 | + |
413 | + # Workaround for LP: #1968873: if we have an sshd_config with a known |
414 | + # checksum, confirm it via ucf before applying the changes from |
415 | + # the new version. |
416 | + if dpkg --compare-versions "$prev_ver" lt-nl 1:9.0p1-1ubuntu7 \ |
417 | + && grep -q "^$(md5sum /etc/ssh/sshd_config | awk '{ print $1 }')" \ |
418 | + /usr/share/openssh/sshd_config.md5sum |
419 | + then |
420 | + workaround="$(mktemp)" |
421 | + sed -e'14,16d' "$new_config" > "$workaround" |
422 | + ucf --three-way --debconf-ok \ |
423 | + --sum-file /usr/share/openssh/sshd_config.md5sum \ |
424 | + "$workaround" /etc/ssh/sshd_config |
425 | + fi |
426 | + |
427 | ucf --three-way --debconf-ok \ |
428 | --sum-file /usr/share/openssh/sshd_config.md5sum \ |
429 | "$new_config" /etc/ssh/sshd_config |
430 | @@ -97,7 +198,7 @@ setup_sshd_user() { |
431 | } |
432 | |
433 | if [ "$action" = configure ]; then |
434 | - create_sshdconfig |
435 | + create_sshdconfig "$2" |
436 | create_keys |
437 | setup_sshd_user |
438 | if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \ |
439 | @@ -110,18 +211,116 @@ if [ "$action" = configure ]; then |
440 | # which we now move back into place. |
441 | mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli |
442 | fi |
443 | - if dpkg --compare-versions "$2" lt-nl 1:9.1p1-1~ && \ |
444 | - deb-systemd-helper --quiet was-enabled ssh.socket && \ |
445 | - [ -d /run/systemd/system ] |
446 | + if dpkg --compare-versions "$2" lt-nl 1:9.0p1-1ubuntu8~ |
447 | then |
448 | # migrate to systemd socket activation. |
449 | - systemctl unmask ssh.service |
450 | - systemctl disable ssh.service |
451 | + addresses=$(get_config_option_all ListenAddress) |
452 | + addresses=$(hostnames_to_addresses "$addresses") |
453 | + ports=$(get_config_option_all Port) |
454 | + if [ -n "$addresses$ports" ] |
455 | + then |
456 | + override_dir=/etc/systemd/system/ssh.socket.d |
457 | + mkdir -p "$override_dir" |
458 | + echo '[Socket]' > "$override_dir"/addresses.conf.new |
459 | + echo 'ListenStream=' >> "$override_dir"/addresses.conf.new |
460 | + fi |
461 | + if [ -n "$addresses" ]; then |
462 | + [ -n "$ports" ] || ports=22 |
463 | + count=0 |
464 | + for address in $addresses; do |
465 | + count=$((count+1)) |
466 | + port_from_address="$(port_from_address $address)" |
467 | + if [ -z "$port_from_address" ]; then |
468 | + for port in $ports; do |
469 | + echo "ListenStream=$address:$port" \ |
470 | + >> "$override_dir"/addresses.conf.new |
471 | + done |
472 | + else |
473 | + echo "ListenStream=$address" \ |
474 | + >> "$override_dir"/addresses.conf.new |
475 | + fi |
476 | + done |
477 | + if [ $count -gt 1 ]; then |
478 | + db_input critical openssh-server/listenstream-may-fail || true |
479 | + db_go || true |
480 | + rm -f "$override_dir"/addresses.conf.new |
481 | + rmdir --ignore-fail-on-non-empty "$override_dir" |
482 | + NO_SOCKET_MIGRATION=1 |
483 | + fi |
484 | + elif [ -n "$ports" ]; then |
485 | + for port in $ports; do |
486 | + echo "ListenStream=$port" \ |
487 | + >> "$override_dir"/addresses.conf.new |
488 | + done |
489 | + fi |
490 | + |
491 | + if [ -z "$NO_SOCKET_MIGRATION" ] && [ -n "$addresses$ports" ] |
492 | + then |
493 | + mv "$override_dir"/addresses.conf.new \ |
494 | + "$override_dir"/addresses.conf |
495 | + fi |
496 | fi |
497 | + if dpkg --compare-versions "$2" lt 1:9.0p1-1ubuntu5~; then |
498 | + if [ -z "$NO_SOCKET_MIGRATION" ]; then |
499 | + override_dir=/etc/systemd/system/ssh.service.d |
500 | + mkdir -p "$override_dir" |
501 | + echo '[Unit]' > "$override_dir"/00-socket.conf |
502 | + echo 'After=ssh.socket' >> "$override_dir"/00-socket.conf |
503 | + echo 'Requires=ssh.socket' >> "$override_dir"/00-socket.conf |
504 | + |
505 | + # deb-systemd-helper is inadequate for the task of |
506 | + # changing policy for the units on upgrade |
507 | + if [ -d /run/systemd/system ]; then |
508 | + systemctl daemon-reload |
509 | + systemctl disable ssh.service |
510 | + systemctl unmask ssh.service |
511 | + systemctl stop ssh.service |
512 | + systemctl enable ssh.socket |
513 | + fi |
514 | + fi |
515 | + fi |
516 | + |
517 | + # Revert socket migration if we can determine the user hit |
518 | + # LP: #1993478. |
519 | + if dpkg --compare-versions "$2" lt-nl 1:9.0p1-1ubuntu7~ \ |
520 | + && [ -e /etc/systemd/system/ssh.socket.d/addresses.conf ] \ |
521 | + && [ -e /etc/systemd/system/ssh.service.d/00-socket.conf ] \ |
522 | + && [ -n "$NO_SOCKET_MIGRATION" ]; then |
523 | + rm /etc/systemd/system/ssh.socket.d/addresses.conf |
524 | + rmdir --ignore-fail-on-non-empty /etc/systemd/system/ssh.socket.d |
525 | + rm /etc/systemd/system/ssh.service.d/00-socket.conf |
526 | + rmdir --ignore-fail-on-non-empty /etc/systemd/system/ssh.service.d |
527 | + if [ -d /run/systemd/system ]; then |
528 | + systemctl daemon-reload |
529 | + systemctl disable ssh.socket |
530 | + systemctl stop ssh.socket |
531 | + systemctl enable ssh.service |
532 | + fi |
533 | + fi |
534 | fi |
535 | |
536 | #DEBHELPER# |
537 | |
538 | +if [ -d /run/systemd/system ]; then |
539 | + # If the running sshd contains the patch from LP: #2011458, without |
540 | + # the patch from LP: #2020474, then we cannot restart ssh.socket while |
541 | + # an ssh session is active. Rather than trying to restart these units, |
542 | + # indicate that a reboot is required to finish configuring the new version. |
543 | + if dpkg --compare-versions "$2" eq "1:9.0p1-1ubuntu8.1" \ |
544 | + || dpkg --compare-versions "$2" ge "1:9.2p1-2ubuntu1" \ |
545 | + && dpkg --compare-versions "$2" lt "1:9.2p1-2ubuntu3"; then |
546 | + if ! grep -Fqsx openssh-server /run/reboot-required.pkgs; then |
547 | + echo openssh-server >> /run/reboot-required.pkgs || true |
548 | + fi |
549 | + else |
550 | + if deb-systemd-helper --quiet was-enabled ssh.socket; then |
551 | + deb-systemd-invoke restart ssh.socket |
552 | + elif deb-systemd-helper --quiet was-enabled ssh.service; then |
553 | + deb-systemd-invoke restart ssh.service |
554 | + fi |
555 | + fi |
556 | +fi |
557 | + |
558 | db_stop |
559 | |
560 | exit 0 |
561 | diff --git a/debian/openssh-server.postrm b/debian/openssh-server.postrm |
562 | index fbaeb17..46798dd 100644 |
563 | --- a/debian/openssh-server.postrm |
564 | +++ b/debian/openssh-server.postrm |
565 | @@ -23,6 +23,10 @@ case $1 in |
566 | if command -v ucfr >/dev/null 2>&1; then |
567 | ucfr --purge openssh-server /etc/ssh/sshd_config |
568 | fi |
569 | + rm -f /etc/systemd/system/ssh.service.d/00-socket.conf |
570 | + rm -f /etc/systemd/system/ssh.socket.d/addresses.conf |
571 | + rmdir /etc/systemd/system/ssh.service.d || true |
572 | + rmdir /etc/systemd/system/ssh.socket.d || true |
573 | rm -f /etc/ssh/sshd_not_to_be_run |
574 | [ ! -d /etc/ssh ] || rmdir --ignore-fail-on-non-empty /etc/ssh |
575 | |
576 | diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates |
577 | index e071fe3..31f2935 100644 |
578 | --- a/debian/openssh-server.templates |
579 | +++ b/debian/openssh-server.templates |
580 | @@ -21,3 +21,15 @@ Description: Allow password authentication? |
581 | By default, the SSH server will allow authenticating using a password. |
582 | You may want to change this if all users on this system authenticate using |
583 | a stronger authentication method, such as public keys. |
584 | + |
585 | +Template: openssh-server/listenstream-may-fail |
586 | +Type: error |
587 | +_Description: Not migrating to socket activation |
588 | + This version of openssh-server uses socket-based activation by default. |
589 | + However, because you have more than one ListenAddress configured in |
590 | + sshd_config, it is impossible to determine at upgrade time if migrating |
591 | + you to socket-based activation would cause the starting of sshd at boot |
592 | + to be unreliable. |
593 | + . |
594 | + Because a failure to start ssh may make it impossible to admininister a |
595 | + system, you will not be migrated to socket-based activation at this time. |
596 | diff --git a/debian/openssh-server.tmpfile b/debian/openssh-server.tmpfile |
597 | new file mode 100644 |
598 | index 0000000..76c6323 |
599 | --- /dev/null |
600 | +++ b/debian/openssh-server.tmpfile |
601 | @@ -0,0 +1,2 @@ |
602 | +#Type Path Mode UID GID Age Arguments |
603 | +D /run/sshd 0755 root root - - |
604 | diff --git a/debian/openssh-server.ucf-md5sum b/debian/openssh-server.ucf-md5sum |
605 | index 3a9dc23..9a8efb6 100644 |
606 | --- a/debian/openssh-server.ucf-md5sum |
607 | +++ b/debian/openssh-server.ucf-md5sum |
608 | @@ -103,8 +103,32 @@ cc873ab3ccc9cf3a3830c3c0728c0d0b |
609 | 9f1bec115595c0f76282d80abe5d9bcc |
610 | ae1a449c8adb31cb603e28fda5342696 |
611 | |
612 | +# From 1:8.4p1-5 |
613 | +6dbdc3a27e1953d209f929df7aff0c57 |
614 | +0ef8c8fe6a3afd12382dbb93cd7bbb4e |
615 | +ae1a449c8adb31cb603e28fda5342696 |
616 | +9f1bec115595c0f76282d80abe5d9bcc |
617 | + |
618 | # From 1:8.7p1-1: |
619 | fe83fd23553510bb632dc8e6e35ab41a |
620 | d96ecd9064ea650c44372a5a33d3e497 |
621 | 7fdb195ac56e0bf1992e18ac656811af |
622 | 4e03b4df60cd00c651777ec14ff76aef |
623 | + |
624 | +# From 1:8.9p1-3 |
625 | +30e0fe758429c57d35a5e71dbd8dd2f8 |
626 | +23a8a2b1a8f1538be49eb86313367191 |
627 | +133f5f0119fbf5716b7d72048b25ea71 |
628 | +697a81708f11897cb0fef857563dee55 |
629 | + |
630 | +# From 1:9.0p1-1ubuntu3 |
631 | +90ace5da6c7eb3041732930972662f34 |
632 | +b2c07b86695152141e84f44e4414104a |
633 | +e7b9120b6e68c5666ac21a0cc03d4806 |
634 | +9389be84e67cd5a91b97de5ff03c9306 |
635 | + |
636 | +# From 1:9.2p1-2ubuntu1 |
637 | +fac56840f6697a357368bb878dd8fb87 |
638 | +d01da8c9de75176095712d4e37d5dcd5 |
639 | +e4898846045f33b8d99d3263d6f6fd81 |
640 | +ec46dc59ba9c9e9458add405264fcedd |
641 | diff --git a/debian/patches/series b/debian/patches/series |
642 | index 87eebc3..650a6c5 100644 |
643 | --- a/debian/patches/series |
644 | +++ b/debian/patches/series |
645 | @@ -25,3 +25,5 @@ revert-ipqos-defaults.patch |
646 | maxhostnamelen.patch |
647 | conch-ssh-rsa.patch |
648 | systemd-socket-activation.patch |
649 | +socket-activation-documentation.patch |
650 | +test-set-UsePAM-no-on-some-tests.patch |
651 | diff --git a/debian/patches/socket-activation-documentation.patch b/debian/patches/socket-activation-documentation.patch |
652 | new file mode 100644 |
653 | index 0000000..9afde55 |
654 | --- /dev/null |
655 | +++ b/debian/patches/socket-activation-documentation.patch |
656 | @@ -0,0 +1,50 @@ |
657 | +Index: openssh-9.0p1/sshd_config.5 |
658 | +=================================================================== |
659 | +--- openssh-9.0p1.orig/sshd_config.5 |
660 | ++++ openssh-9.0p1/sshd_config.5 |
661 | +@@ -1069,6 +1069,15 @@ |
662 | + Multiple |
663 | + .Cm ListenAddress |
664 | + options are permitted. |
665 | ++.Pp |
666 | ++.Cm Note: |
667 | ++On Ubuntu, the openssh-server package is configured to use systemd |
668 | ++socket-based activation by default. Therefore if you are using systemd with |
669 | ++the default configuration, |
670 | ++.Cm ListenAddress |
671 | ++options will not be honored. Address configuration must be handled in |
672 | ++.Pa /etc/systemd/system/ssh.socket.d |
673 | ++instead. |
674 | + .It Cm LoginGraceTime |
675 | + The server disconnects after this time if the user has not |
676 | + successfully logged in. |
677 | +@@ -1520,6 +1529,15 @@ |
678 | + Multiple options of this type are permitted. |
679 | + See also |
680 | + .Cm ListenAddress . |
681 | ++.Pp |
682 | ++.Cm Note: |
683 | ++On Ubuntu, the openssh-server package is configured to use systemd |
684 | ++socket-based activation by default. Therefore if you are using systemd with |
685 | ++the default configuration, |
686 | ++.Cm Port |
687 | ++options will not be honored. Address configuration must be handled in |
688 | ++.Pa /etc/systemd/system/ssh.socket.d |
689 | ++instead. |
690 | + .It Cm PrintLastLog |
691 | + Specifies whether |
692 | + .Xr sshd 8 |
693 | +Index: openssh-9.0p1/sshd_config |
694 | +=================================================================== |
695 | +--- openssh-9.0p1.orig/sshd_config |
696 | ++++ openssh-9.0p1/sshd_config |
697 | +@@ -12,6 +12,9 @@ |
698 | + |
699 | + Include /etc/ssh/sshd_config.d/*.conf |
700 | + |
701 | ++# Port and ListenAddress options are not used when sshd is socket-activated, |
702 | ++# which is now the default in Ubuntu. See sshd_config(5) and |
703 | ++# /usr/share/doc/openssh-server/README.Debian.gz for details. |
704 | + #Port 22 |
705 | + #AddressFamily any |
706 | + #ListenAddress 0.0.0.0 |
707 | diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch |
708 | index 8ef366d..8e1ce7c 100644 |
709 | --- a/debian/patches/systemd-socket-activation.patch |
710 | +++ b/debian/patches/systemd-socket-activation.patch |
711 | @@ -1,47 +1,72 @@ |
712 | -From ecf309863a54ecdaeb2edb82edb79d91a23cee22 Mon Sep 17 00:00:00 2001 |
713 | -From: Steve Langasek <steve.langasek@ubuntu.com> |
714 | -Date: Thu, 1 Sep 2022 16:03:37 +0100 |
715 | -Subject: Support systemd socket activation |
716 | +Description: support systemd socket activation |
717 | + Unlike inetd socket activation, with systemd socket activation the |
718 | + supervisor passes the listened-on socket to the child process and lets |
719 | + the child process handle the accept(). This lets us do delayed start |
720 | + of the sshd daemon without becoming incompatible with config options |
721 | + like ClientAliveCountMax. |
722 | +Author: Steve Langasek <steve.langasek@ubuntu.com> |
723 | +Author: Nick Rosbrook <nick.rosbrook@canonical.com> |
724 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2011458 |
725 | +Last-Update: 2023-05-25 |
726 | |
727 | -Unlike inetd socket activation, with systemd socket activation the |
728 | -supervisor passes the listened-on socket to the child process and lets |
729 | -the child process handle the accept(). This lets us do delayed start |
730 | -of the sshd daemon without becoming incompatible with config options |
731 | -like ClientAliveCountMax. |
732 | - |
733 | -Last-Update: 2022-09-01 |
734 | - |
735 | -Patch-Name: systemd-socket-activation.patch |
736 | ---- |
737 | - sshd.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++--------- |
738 | - 1 file changed, 75 insertions(+), 14 deletions(-) |
739 | - |
740 | -diff --git a/sshd.c b/sshd.c |
741 | -index 731b9e400..3a5189a6e 100644 |
742 | --- a/sshd.c |
743 | +++ b/sshd.c |
744 | -@@ -140,10 +140,16 @@ int deny_severity; |
745 | +@@ -139,11 +139,14 @@ |
746 | + int deny_severity; |
747 | #endif /* LIBWRAP */ |
748 | |
749 | ++/* This will only get set if we build with systemd. */ |
750 | ++static int systemd_num_listen_fds; |
751 | ++ |
752 | /* Re-exec fds */ |
753 | -#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
754 | -#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
755 | -#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3) |
756 | -#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4) |
757 | -+#ifdef HAVE_SYSTEMD |
758 | -+#define SYSTEMD_OFFSET sd_listen_fds(0) |
759 | -+#else |
760 | -+#define SYSTEMD_OFFSET 0 |
761 | -+#endif |
762 | -+ |
763 | -+#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1 + SYSTEMD_OFFSET) |
764 | -+#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2 + SYSTEMD_OFFSET) |
765 | -+#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3 + SYSTEMD_OFFSET) |
766 | -+#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4 + SYSTEMD_OFFSET) |
767 | ++#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1 + systemd_num_listen_fds) |
768 | ++#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2 + systemd_num_listen_fds) |
769 | ++#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3 + systemd_num_listen_fds) |
770 | ++#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4 + systemd_num_listen_fds) |
771 | |
772 | extern char *__progname; |
773 | |
774 | -@@ -1020,6 +1026,48 @@ server_accept_inetd(int *sock_in, int *sock_out) |
775 | +@@ -194,6 +197,7 @@ |
776 | + */ |
777 | + #define MAX_LISTEN_SOCKS 16 |
778 | + static int listen_socks[MAX_LISTEN_SOCKS]; |
779 | ++static int listen_socks_no_close[MAX_LISTEN_SOCKS]; |
780 | + static int num_listen_socks = 0; |
781 | + |
782 | + /* Daemon's agent connection */ |
783 | +@@ -279,12 +283,16 @@ |
784 | + * Close all listening sockets |
785 | + */ |
786 | + static void |
787 | +-close_listen_socks(void) |
788 | ++close_listen_socks(int force) |
789 | + { |
790 | + int i; |
791 | + |
792 | +- for (i = 0; i < num_listen_socks; i++) |
793 | ++ for (i = 0; i < num_listen_socks; i++) { |
794 | ++ if (listen_socks_no_close[i] > 0 && force <= 0) |
795 | ++ continue; |
796 | ++ |
797 | + close(listen_socks[i]); |
798 | ++ } |
799 | + num_listen_socks = 0; |
800 | + } |
801 | + |
802 | +@@ -322,7 +330,7 @@ |
803 | + if (options.pid_file != NULL) |
804 | + unlink(options.pid_file); |
805 | + platform_pre_restart(); |
806 | +- close_listen_socks(); |
807 | ++ close_listen_socks(/* force = */ 0); |
808 | + close_startup_pipes(); |
809 | + ssh_signal(SIGHUP, SIG_IGN); /* will be restored after exec */ |
810 | + execv(saved_argv[0], saved_argv); |
811 | +@@ -1020,6 +1028,65 @@ |
812 | debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out); |
813 | } |
814 | |
815 | @@ -52,7 +77,7 @@ index 731b9e400..3a5189a6e 100644 |
816 | +static void |
817 | +setup_systemd_socket(int listen_sock) |
818 | +{ |
819 | -+ int ret; |
820 | ++ int flags, ret; |
821 | + struct sockaddr_storage addr; |
822 | + socklen_t len = sizeof(addr); |
823 | + char ntop[NI_MAXHOST], strport[NI_MAXSERV]; |
824 | @@ -77,10 +102,27 @@ index 731b9e400..3a5189a6e 100644 |
825 | + close(listen_sock); |
826 | + return; |
827 | + } |
828 | ++ |
829 | + /* Socket options */ |
830 | + set_reuseaddr(listen_sock); |
831 | + |
832 | ++ /* systemd sets FD_CLOEXEC on the fds it passes to us, but we need this |
833 | ++ * to stay open across re-exec. */ |
834 | ++ flags = fcntl(listen_sock, F_GETFD); |
835 | ++ if (flags < 0) { |
836 | ++ error("Failed to get fd flags: %s", strerror(errno)); |
837 | ++ close(listen_sock); |
838 | ++ return; |
839 | ++ } |
840 | ++ |
841 | ++ if (fcntl(listen_sock, F_SETFD, flags & ~FD_CLOEXEC) < 0) { |
842 | ++ error("Failed to clear FD_CLOEXEC flag: %s", strerror(errno)); |
843 | ++ close(listen_sock); |
844 | ++ return; |
845 | ++ } |
846 | ++ |
847 | + listen_socks[num_listen_socks] = listen_sock; |
848 | ++ listen_socks_no_close[num_listen_socks] = 1; |
849 | + num_listen_socks++; |
850 | + |
851 | + logit("Server listening on %s port %s.", ntop, strport); |
852 | @@ -90,15 +132,7 @@ index 731b9e400..3a5189a6e 100644 |
853 | /* |
854 | * Listen for TCP connections |
855 | */ |
856 | -@@ -1099,22 +1147,35 @@ static void |
857 | - server_listen(void) |
858 | - { |
859 | - u_int i; |
860 | -+#ifdef HAVE_SYSTEMD |
861 | -+ int systemd_socket_count; |
862 | -+#endif |
863 | - |
864 | - /* Initialise per-source limit tracking. */ |
865 | +@@ -1104,17 +1171,26 @@ |
866 | srclimit_init(options.max_startups, options.per_source_max_startups, |
867 | options.per_source_masklen_ipv4, options.per_source_masklen_ipv6); |
868 | |
869 | @@ -108,12 +142,16 @@ index 731b9e400..3a5189a6e 100644 |
870 | - free(options.listen_addrs[i].rdomain); |
871 | - memset(&options.listen_addrs[i], 0, |
872 | - sizeof(options.listen_addrs[i])); |
873 | +- } |
874 | +- free(options.listen_addrs); |
875 | +- options.listen_addrs = NULL; |
876 | +- options.num_listen_addrs = 0; |
877 | +- |
878 | +#ifdef HAVE_SYSTEMD |
879 | -+ systemd_socket_count = sd_listen_fds(0); |
880 | -+ if (systemd_socket_count > 0) |
881 | ++ if (systemd_num_listen_fds > 0) |
882 | + { |
883 | + int i; |
884 | -+ for (i = 0; i < systemd_socket_count; i++) |
885 | ++ for (i = 0; i < systemd_num_listen_fds; i++) |
886 | + setup_systemd_socket(SD_LISTEN_FDS_START + i); |
887 | + } else |
888 | +#endif |
889 | @@ -128,11 +166,65 @@ index 731b9e400..3a5189a6e 100644 |
890 | + free(options.listen_addrs); |
891 | + options.listen_addrs = NULL; |
892 | + options.num_listen_addrs = 0; |
893 | - } |
894 | -- free(options.listen_addrs); |
895 | -- options.listen_addrs = NULL; |
896 | -- options.num_listen_addrs = 0; |
897 | -- |
898 | ++ } |
899 | if (!num_listen_socks) |
900 | fatal("Cannot bind any address."); |
901 | } |
902 | +@@ -1169,7 +1245,7 @@ |
903 | + if (received_sigterm) { |
904 | + logit("Received signal %d; terminating.", |
905 | + (int) received_sigterm); |
906 | +- close_listen_socks(); |
907 | ++ close_listen_socks(/* force = */ 1); |
908 | + if (options.pid_file != NULL) |
909 | + unlink(options.pid_file); |
910 | + exit(received_sigterm == SIGTERM ? 0 : 255); |
911 | +@@ -1183,7 +1259,7 @@ |
912 | + if (received_sighup) { |
913 | + if (!lameduck) { |
914 | + debug("Received SIGHUP; waiting for children"); |
915 | +- close_listen_socks(); |
916 | ++ close_listen_socks(/* force = */ 0); |
917 | + lameduck = 1; |
918 | + } |
919 | + if (listening <= 0) { |
920 | +@@ -1310,7 +1386,7 @@ |
921 | + * connection without forking. |
922 | + */ |
923 | + debug("Server will not fork when running in debugging mode."); |
924 | +- close_listen_socks(); |
925 | ++ close_listen_socks(/* force = */ 0); |
926 | + *sock_in = *newsock; |
927 | + *sock_out = *newsock; |
928 | + close(startup_p[0]); |
929 | +@@ -1344,7 +1420,7 @@ |
930 | + platform_post_fork_child(); |
931 | + startup_pipe = startup_p[1]; |
932 | + close_startup_pipes(); |
933 | +- close_listen_socks(); |
934 | ++ close_listen_socks(/* force = */ 1); |
935 | + *sock_in = *newsock; |
936 | + *sock_out = *newsock; |
937 | + log_init(__progname, |
938 | +@@ -1715,6 +1791,21 @@ |
939 | + break; |
940 | + } |
941 | + } |
942 | ++ |
943 | ++#ifdef HAVE_SYSTEMD |
944 | ++ /* We should call sd_listen_fds() exactly once. If we call |
945 | ++ * sd_listen_fds() more than once, then FD_CLOEXEC will be |
946 | ++ * re-configured for the passed fds, which will cause problems during |
947 | ++ * re-execution. The FD_CLOEXEC flag will be cleared by |
948 | ++ * setup_systemd_socket(). */ |
949 | ++ r = sd_listen_fds(0); |
950 | ++ if (r < 0) |
951 | ++ fatal("Failed to get systemd socket fds: %s", strerror(-r)); |
952 | ++ |
953 | ++ systemd_num_listen_fds = r; |
954 | ++ rexec_flag = 0; |
955 | ++#endif |
956 | ++ |
957 | + if (rexeced_flag || inetd_flag) |
958 | + rexec_flag = 0; |
959 | + if (!test_flag && !do_dump_cfg && rexec_flag && !path_absolute(av[0])) |
960 | diff --git a/debian/patches/test-set-UsePAM-no-on-some-tests.patch b/debian/patches/test-set-UsePAM-no-on-some-tests.patch |
961 | new file mode 100644 |
962 | index 0000000..207f495 |
963 | --- /dev/null |
964 | +++ b/debian/patches/test-set-UsePAM-no-on-some-tests.patch |
965 | @@ -0,0 +1,41 @@ |
966 | +Description: Set UsePAM=no for regress/putty-*.sh |
967 | + Currently these tests fails in the autopkgtest infrastructure due to pam_loginuid.so |
968 | + failures. These failures cannot currently be replicated locally. Workaround this |
969 | + by setting UsePAM=no for the failing tests since their functionality is not tesing |
970 | + PAM. |
971 | +Author: Nick Rosbrook <nick.rosbrook@canonical.com> |
972 | +Forwarded: no |
973 | +Last-Update: 2023-05-25 |
974 | +--- a/regress/putty-ciphers.sh |
975 | ++++ b/regress/putty-ciphers.sh |
976 | +@@ -14,6 +14,8 @@ |
977 | + echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy |
978 | + fi |
979 | + |
980 | ++sed -i "s/UsePAM.*/UsePAM no/" ${OBJ}/sshd_proxy |
981 | ++ |
982 | + for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do |
983 | + verbose "$tid: cipher $c" |
984 | + cp ${OBJ}/.putty/sessions/localhost_proxy \ |
985 | +--- a/regress/putty-kex.sh |
986 | ++++ b/regress/putty-kex.sh |
987 | +@@ -14,6 +14,8 @@ |
988 | + echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy |
989 | + fi |
990 | + |
991 | ++sed -i "s/UsePAM.*/UsePAM no/" ${OBJ}/sshd_proxy |
992 | ++ |
993 | + for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do |
994 | + verbose "$tid: kex $k" |
995 | + cp ${OBJ}/.putty/sessions/localhost_proxy \ |
996 | +--- a/regress/putty-transfer.sh |
997 | ++++ b/regress/putty-transfer.sh |
998 | +@@ -14,6 +14,8 @@ |
999 | + echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy |
1000 | + fi |
1001 | + |
1002 | ++sed -i "s/UsePAM.*/UsePAM no/" ${OBJ}/sshd_proxy |
1003 | ++ |
1004 | + if [ "`${SSH} -Q compression`" = "none" ]; then |
1005 | + comp="0" |
1006 | + else |
1007 | diff --git a/debian/po/cs.po b/debian/po/cs.po |
1008 | index d01e0ff..21b4c7b 100644 |
1009 | --- a/debian/po/cs.po |
1010 | +++ b/debian/po/cs.po |
1011 | @@ -7,7 +7,7 @@ msgid "" |
1012 | msgstr "" |
1013 | "Project-Id-Version: openssh 1:6.6p1-1\n" |
1014 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1015 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1016 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1017 | "PO-Revision-Date: 2014-06-12 12:25+0200\n" |
1018 | "Last-Translator: Michal Simunek <michal.simunek@gmail.com>\n" |
1019 | "Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n" |
1020 | @@ -53,3 +53,28 @@ msgstr "" |
1021 | "poškodit systémy, které jsou nastaveny s předpokladem, že bude možné se " |
1022 | "přihlašovat přes SSH jako root pomocí ověřování heslem. Změnu této volby " |
1023 | "byste měli provést pouze pokud ověřování heslem potřebujete." |
1024 | + |
1025 | +#. Type: error |
1026 | +#. Description |
1027 | +#: ../openssh-server.templates:3001 |
1028 | +msgid "Not migrating to socket activation" |
1029 | +msgstr "" |
1030 | + |
1031 | +#. Type: error |
1032 | +#. Description |
1033 | +#: ../openssh-server.templates:3001 |
1034 | +msgid "" |
1035 | +"This version of openssh-server uses socket-based activation by default. " |
1036 | +"However, because you have more than one ListenAddress configured in " |
1037 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1038 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1039 | +"unreliable." |
1040 | +msgstr "" |
1041 | + |
1042 | +#. Type: error |
1043 | +#. Description |
1044 | +#: ../openssh-server.templates:3001 |
1045 | +msgid "" |
1046 | +"Because a failure to start ssh may make it impossible to admininister a " |
1047 | +"system, you will not be migrated to socket-based activation at this time." |
1048 | +msgstr "" |
1049 | diff --git a/debian/po/da.po b/debian/po/da.po |
1050 | index 70d576d..a08ca3b 100644 |
1051 | --- a/debian/po/da.po |
1052 | +++ b/debian/po/da.po |
1053 | @@ -7,7 +7,7 @@ msgid "" |
1054 | msgstr "" |
1055 | "Project-Id-Version: openssh\n" |
1056 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1057 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1058 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1059 | "PO-Revision-Date: 2014-03-21 23:51+0200\n" |
1060 | "Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n" |
1061 | "Language-Team: Danish <debian-l10n-danish@lists.debian.org>\n" |
1062 | @@ -53,3 +53,28 @@ msgstr "" |
1063 | "Det kan dog ødelægge systemer, som er opsat med forventning om at kunne SSH " |
1064 | "som root via brug af adgangskodegodkendelse. Du skal kun lave denne ændring, " |
1065 | "hvis du ikke har brug for dette." |
1066 | + |
1067 | +#. Type: error |
1068 | +#. Description |
1069 | +#: ../openssh-server.templates:3001 |
1070 | +msgid "Not migrating to socket activation" |
1071 | +msgstr "" |
1072 | + |
1073 | +#. Type: error |
1074 | +#. Description |
1075 | +#: ../openssh-server.templates:3001 |
1076 | +msgid "" |
1077 | +"This version of openssh-server uses socket-based activation by default. " |
1078 | +"However, because you have more than one ListenAddress configured in " |
1079 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1080 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1081 | +"unreliable." |
1082 | +msgstr "" |
1083 | + |
1084 | +#. Type: error |
1085 | +#. Description |
1086 | +#: ../openssh-server.templates:3001 |
1087 | +msgid "" |
1088 | +"Because a failure to start ssh may make it impossible to admininister a " |
1089 | +"system, you will not be migrated to socket-based activation at this time." |
1090 | +msgstr "" |
1091 | diff --git a/debian/po/de.po b/debian/po/de.po |
1092 | index ecba54b..2536ea4 100644 |
1093 | --- a/debian/po/de.po |
1094 | +++ b/debian/po/de.po |
1095 | @@ -8,7 +8,7 @@ msgid "" |
1096 | msgstr "" |
1097 | "Project-Id-Version: openssh_1:6.6p1-1\n" |
1098 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1099 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1100 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1101 | "PO-Revision-Date: 2014-03-24 22:21+0100\n" |
1102 | "Last-Translator: Stephan Beck <sbeck@mailbox.org>\n" |
1103 | "Language-Team: Debian German translation team <debian-l10n-german@lists." |
1104 | @@ -59,3 +59,28 @@ msgstr "" |
1105 | "in der Absicht konfiguriert wurden, die Anmeldung als »root« über SSH unter " |
1106 | "Verwendung von Passwort-Authentifizierung zuzulassen. Sie sollten diese " |
1107 | "Änderung nur vornehmen, wenn Sie auf Letzteres verzichten können." |
1108 | + |
1109 | +#. Type: error |
1110 | +#. Description |
1111 | +#: ../openssh-server.templates:3001 |
1112 | +msgid "Not migrating to socket activation" |
1113 | +msgstr "" |
1114 | + |
1115 | +#. Type: error |
1116 | +#. Description |
1117 | +#: ../openssh-server.templates:3001 |
1118 | +msgid "" |
1119 | +"This version of openssh-server uses socket-based activation by default. " |
1120 | +"However, because you have more than one ListenAddress configured in " |
1121 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1122 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1123 | +"unreliable." |
1124 | +msgstr "" |
1125 | + |
1126 | +#. Type: error |
1127 | +#. Description |
1128 | +#: ../openssh-server.templates:3001 |
1129 | +msgid "" |
1130 | +"Because a failure to start ssh may make it impossible to admininister a " |
1131 | +"system, you will not be migrated to socket-based activation at this time." |
1132 | +msgstr "" |
1133 | diff --git a/debian/po/es.po b/debian/po/es.po |
1134 | index de8a67a..14550d6 100644 |
1135 | --- a/debian/po/es.po |
1136 | +++ b/debian/po/es.po |
1137 | @@ -28,7 +28,7 @@ msgid "" |
1138 | msgstr "" |
1139 | "Project-Id-Version: openssh\n" |
1140 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1141 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1142 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1143 | "PO-Revision-Date: 2014-03-23 20:43-0300\n" |
1144 | "Last-Translator: Matías Bellone <matiasbellone+debian@gmail.com>\n" |
1145 | "Language-Team: Debian l10n Spanish <debian-l10n-spanish@lists.debian.org>\n" |
1146 | @@ -78,3 +78,28 @@ msgstr "" |
1147 | "configuración permite que el usuario root inicie sesión a través de SSH " |
1148 | "utilizando una contraseña. Sólo debería realizar este cambio si no necesita " |
1149 | "este comportamiento." |
1150 | + |
1151 | +#. Type: error |
1152 | +#. Description |
1153 | +#: ../openssh-server.templates:3001 |
1154 | +msgid "Not migrating to socket activation" |
1155 | +msgstr "" |
1156 | + |
1157 | +#. Type: error |
1158 | +#. Description |
1159 | +#: ../openssh-server.templates:3001 |
1160 | +msgid "" |
1161 | +"This version of openssh-server uses socket-based activation by default. " |
1162 | +"However, because you have more than one ListenAddress configured in " |
1163 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1164 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1165 | +"unreliable." |
1166 | +msgstr "" |
1167 | + |
1168 | +#. Type: error |
1169 | +#. Description |
1170 | +#: ../openssh-server.templates:3001 |
1171 | +msgid "" |
1172 | +"Because a failure to start ssh may make it impossible to admininister a " |
1173 | +"system, you will not be migrated to socket-based activation at this time." |
1174 | +msgstr "" |
1175 | diff --git a/debian/po/fr.po b/debian/po/fr.po |
1176 | index f7125e9..7d7093b 100644 |
1177 | --- a/debian/po/fr.po |
1178 | +++ b/debian/po/fr.po |
1179 | @@ -7,7 +7,7 @@ msgid "" |
1180 | msgstr "" |
1181 | "Project-Id-Version: openssh_1:6.5p1-6\n" |
1182 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1183 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1184 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1185 | "PO-Revision-Date: 2014-03-22 08:26+0100\n" |
1186 | "Last-Translator: Étienne Gilli <etienne.gilli@gmail.com>\n" |
1187 | "Language-Team: French <debian-l10n-french@lists.debian.org>\n" |
1188 | @@ -57,3 +57,28 @@ msgstr "" |
1189 | "inutilisables les systèmes reposant sur la possibilité de se connecter au " |
1190 | "compte « root » par SSH avec authentification par mot de passe. Vous ne " |
1191 | "devriez appliquer cette modification que si ce n’est pas votre cas." |
1192 | + |
1193 | +#. Type: error |
1194 | +#. Description |
1195 | +#: ../openssh-server.templates:3001 |
1196 | +msgid "Not migrating to socket activation" |
1197 | +msgstr "" |
1198 | + |
1199 | +#. Type: error |
1200 | +#. Description |
1201 | +#: ../openssh-server.templates:3001 |
1202 | +msgid "" |
1203 | +"This version of openssh-server uses socket-based activation by default. " |
1204 | +"However, because you have more than one ListenAddress configured in " |
1205 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1206 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1207 | +"unreliable." |
1208 | +msgstr "" |
1209 | + |
1210 | +#. Type: error |
1211 | +#. Description |
1212 | +#: ../openssh-server.templates:3001 |
1213 | +msgid "" |
1214 | +"Because a failure to start ssh may make it impossible to admininister a " |
1215 | +"system, you will not be migrated to socket-based activation at this time." |
1216 | +msgstr "" |
1217 | diff --git a/debian/po/it.po b/debian/po/it.po |
1218 | index dd71060..5390795 100644 |
1219 | --- a/debian/po/it.po |
1220 | +++ b/debian/po/it.po |
1221 | @@ -6,7 +6,7 @@ msgid "" |
1222 | msgstr "" |
1223 | "Project-Id-Version: openssh\n" |
1224 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1225 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1226 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1227 | "PO-Revision-Date: 2014-03-28 11:12+0200\n" |
1228 | "Last-Translator: Beatrice Torracca <beatricet@libero.it>\n" |
1229 | "Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n" |
1230 | @@ -56,3 +56,28 @@ msgstr "" |
1231 | "impostati facendo affidamento sulla possibilità di autenticazione SSH come " |
1232 | "root usando la password. Si dovrebbe fare questo cambiamento solo se non si " |
1233 | "ha bisogno di tale comportamento." |
1234 | + |
1235 | +#. Type: error |
1236 | +#. Description |
1237 | +#: ../openssh-server.templates:3001 |
1238 | +msgid "Not migrating to socket activation" |
1239 | +msgstr "" |
1240 | + |
1241 | +#. Type: error |
1242 | +#. Description |
1243 | +#: ../openssh-server.templates:3001 |
1244 | +msgid "" |
1245 | +"This version of openssh-server uses socket-based activation by default. " |
1246 | +"However, because you have more than one ListenAddress configured in " |
1247 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1248 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1249 | +"unreliable." |
1250 | +msgstr "" |
1251 | + |
1252 | +#. Type: error |
1253 | +#. Description |
1254 | +#: ../openssh-server.templates:3001 |
1255 | +msgid "" |
1256 | +"Because a failure to start ssh may make it impossible to admininister a " |
1257 | +"system, you will not be migrated to socket-based activation at this time." |
1258 | +msgstr "" |
1259 | diff --git a/debian/po/ja.po b/debian/po/ja.po |
1260 | index db382f1..b48d281 100644 |
1261 | --- a/debian/po/ja.po |
1262 | +++ b/debian/po/ja.po |
1263 | @@ -7,7 +7,7 @@ msgid "" |
1264 | msgstr "" |
1265 | "Project-Id-Version: openssh\n" |
1266 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1267 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1268 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1269 | "PO-Revision-Date: 2014-03-20 11:06+0900\n" |
1270 | "Last-Translator: victory <victory.deb@gmail.com>\n" |
1271 | "Language-Team: Japanese <debian-japanese@lists.debian.org>\n" |
1272 | @@ -53,3 +53,28 @@ msgstr "" |
1273 | "ます。しかしパスワード認証により root で SSH 接続できることを前提として構成し" |
1274 | "たシステムでは問題が発生する可能性があります。そういった必要のない場合にのみ" |
1275 | "この変更を行うようにしてください。" |
1276 | + |
1277 | +#. Type: error |
1278 | +#. Description |
1279 | +#: ../openssh-server.templates:3001 |
1280 | +msgid "Not migrating to socket activation" |
1281 | +msgstr "" |
1282 | + |
1283 | +#. Type: error |
1284 | +#. Description |
1285 | +#: ../openssh-server.templates:3001 |
1286 | +msgid "" |
1287 | +"This version of openssh-server uses socket-based activation by default. " |
1288 | +"However, because you have more than one ListenAddress configured in " |
1289 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1290 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1291 | +"unreliable." |
1292 | +msgstr "" |
1293 | + |
1294 | +#. Type: error |
1295 | +#. Description |
1296 | +#: ../openssh-server.templates:3001 |
1297 | +msgid "" |
1298 | +"Because a failure to start ssh may make it impossible to admininister a " |
1299 | +"system, you will not be migrated to socket-based activation at this time." |
1300 | +msgstr "" |
1301 | diff --git a/debian/po/nl.po b/debian/po/nl.po |
1302 | index 3afd617..eca9662 100644 |
1303 | --- a/debian/po/nl.po |
1304 | +++ b/debian/po/nl.po |
1305 | @@ -7,7 +7,7 @@ msgid "" |
1306 | msgstr "" |
1307 | "Project-Id-Version: openssh\n" |
1308 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1309 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1310 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1311 | "PO-Revision-Date: 2014-10-03 23:54+0200\n" |
1312 | "Last-Translator: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>\n" |
1313 | "Language-Team: Debian Dutch l10n Team <debian-l10n-dutch@lists.debian.org>\n" |
1314 | @@ -58,3 +58,28 @@ msgstr "" |
1315 | "ingesteld werden vanuit de verwachting dat de systeembeheerder SSH kan " |
1316 | "gebruiken met authenticatie via wachtwoord. Enkel wanneer u dit laatste niet " |
1317 | "nodig heeft, zou u deze wijziging kunnen doorvoeren." |
1318 | + |
1319 | +#. Type: error |
1320 | +#. Description |
1321 | +#: ../openssh-server.templates:3001 |
1322 | +msgid "Not migrating to socket activation" |
1323 | +msgstr "" |
1324 | + |
1325 | +#. Type: error |
1326 | +#. Description |
1327 | +#: ../openssh-server.templates:3001 |
1328 | +msgid "" |
1329 | +"This version of openssh-server uses socket-based activation by default. " |
1330 | +"However, because you have more than one ListenAddress configured in " |
1331 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1332 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1333 | +"unreliable." |
1334 | +msgstr "" |
1335 | + |
1336 | +#. Type: error |
1337 | +#. Description |
1338 | +#: ../openssh-server.templates:3001 |
1339 | +msgid "" |
1340 | +"Because a failure to start ssh may make it impossible to admininister a " |
1341 | +"system, you will not be migrated to socket-based activation at this time." |
1342 | +msgstr "" |
1343 | diff --git a/debian/po/pt.po b/debian/po/pt.po |
1344 | index 2dab84c..8f51af9 100644 |
1345 | --- a/debian/po/pt.po |
1346 | +++ b/debian/po/pt.po |
1347 | @@ -7,7 +7,7 @@ msgid "" |
1348 | msgstr "" |
1349 | "Project-Id-Version: openssh 1:6.6p1-1\n" |
1350 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1351 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1352 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1353 | "PO-Revision-Date: 2014-03-21 21:13+0000\n" |
1354 | "Last-Translator: Américo Monteiro <a_monteiro@gmx.com>\n" |
1355 | "Language-Team: Portuguese <traduz@debianpt.org>\n" |
1356 | @@ -57,3 +57,28 @@ msgstr "" |
1357 | "configurados com a expectativa de serem capazes de SSH como root usando " |
1358 | "autenticação por palavra-passe. Apenas deverá fazer esta alteração se não " |
1359 | "precisa de tal método de autenticação." |
1360 | + |
1361 | +#. Type: error |
1362 | +#. Description |
1363 | +#: ../openssh-server.templates:3001 |
1364 | +msgid "Not migrating to socket activation" |
1365 | +msgstr "" |
1366 | + |
1367 | +#. Type: error |
1368 | +#. Description |
1369 | +#: ../openssh-server.templates:3001 |
1370 | +msgid "" |
1371 | +"This version of openssh-server uses socket-based activation by default. " |
1372 | +"However, because you have more than one ListenAddress configured in " |
1373 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1374 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1375 | +"unreliable." |
1376 | +msgstr "" |
1377 | + |
1378 | +#. Type: error |
1379 | +#. Description |
1380 | +#: ../openssh-server.templates:3001 |
1381 | +msgid "" |
1382 | +"Because a failure to start ssh may make it impossible to admininister a " |
1383 | +"system, you will not be migrated to socket-based activation at this time." |
1384 | +msgstr "" |
1385 | diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po |
1386 | index 99b1182..98856bb 100644 |
1387 | --- a/debian/po/pt_BR.po |
1388 | +++ b/debian/po/pt_BR.po |
1389 | @@ -8,7 +8,7 @@ msgid "" |
1390 | msgstr "" |
1391 | "Project-Id-Version: openssh\n" |
1392 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1393 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1394 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1395 | "PO-Revision-Date: 2014-11-23 23:49-0200\n" |
1396 | "Last-Translator: José de Figueiredo <deb.gnulinux@gmail.com>\n" |
1397 | "Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian." |
1398 | @@ -55,3 +55,28 @@ msgstr "" |
1399 | "Entretanto, ela pode quebrar sistemas que foram configurados com a " |
1400 | "expectativa de acesso SSH com root usando autenticação por senha. Você deve " |
1401 | "fazer esta mudança somente se você não precisa fazer isso." |
1402 | + |
1403 | +#. Type: error |
1404 | +#. Description |
1405 | +#: ../openssh-server.templates:3001 |
1406 | +msgid "Not migrating to socket activation" |
1407 | +msgstr "" |
1408 | + |
1409 | +#. Type: error |
1410 | +#. Description |
1411 | +#: ../openssh-server.templates:3001 |
1412 | +msgid "" |
1413 | +"This version of openssh-server uses socket-based activation by default. " |
1414 | +"However, because you have more than one ListenAddress configured in " |
1415 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1416 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1417 | +"unreliable." |
1418 | +msgstr "" |
1419 | + |
1420 | +#. Type: error |
1421 | +#. Description |
1422 | +#: ../openssh-server.templates:3001 |
1423 | +msgid "" |
1424 | +"Because a failure to start ssh may make it impossible to admininister a " |
1425 | +"system, you will not be migrated to socket-based activation at this time." |
1426 | +msgstr "" |
1427 | diff --git a/debian/po/ru.po b/debian/po/ru.po |
1428 | index f2e1daf..3fa193c 100644 |
1429 | --- a/debian/po/ru.po |
1430 | +++ b/debian/po/ru.po |
1431 | @@ -6,7 +6,7 @@ msgid "" |
1432 | msgstr "" |
1433 | "Project-Id-Version: openssh 1:6.6p1-1\n" |
1434 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1435 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1436 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1437 | "PO-Revision-Date: 2014-03-22 10:04+0400\n" |
1438 | "Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n" |
1439 | "Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n" |
1440 | @@ -14,8 +14,8 @@ msgstr "" |
1441 | "MIME-Version: 1.0\n" |
1442 | "Content-Type: text/plain; charset=UTF-8\n" |
1443 | "Content-Transfer-Encoding: 8bit\n" |
1444 | -"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" |
1445 | -"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" |
1446 | +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && " |
1447 | +"n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" |
1448 | "X-Generator: Lokalize 1.4\n" |
1449 | |
1450 | #. Type: boolean |
1451 | @@ -55,3 +55,28 @@ msgstr "" |
1452 | "атак). Однако, это вредит системам, в которых специально настроен вход для " |
1453 | "root по SSH с парольной аутентификацией. Если это не ваш случай, то ответьте " |
1454 | "утвердительно." |
1455 | + |
1456 | +#. Type: error |
1457 | +#. Description |
1458 | +#: ../openssh-server.templates:3001 |
1459 | +msgid "Not migrating to socket activation" |
1460 | +msgstr "" |
1461 | + |
1462 | +#. Type: error |
1463 | +#. Description |
1464 | +#: ../openssh-server.templates:3001 |
1465 | +msgid "" |
1466 | +"This version of openssh-server uses socket-based activation by default. " |
1467 | +"However, because you have more than one ListenAddress configured in " |
1468 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1469 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1470 | +"unreliable." |
1471 | +msgstr "" |
1472 | + |
1473 | +#. Type: error |
1474 | +#. Description |
1475 | +#: ../openssh-server.templates:3001 |
1476 | +msgid "" |
1477 | +"Because a failure to start ssh may make it impossible to admininister a " |
1478 | +"system, you will not be migrated to socket-based activation at this time." |
1479 | +msgstr "" |
1480 | diff --git a/debian/po/sv.po b/debian/po/sv.po |
1481 | index 278b0cc..296e611 100644 |
1482 | --- a/debian/po/sv.po |
1483 | +++ b/debian/po/sv.po |
1484 | @@ -8,7 +8,7 @@ msgid "" |
1485 | msgstr "" |
1486 | "Project-Id-Version: openssh\n" |
1487 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1488 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1489 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1490 | "PO-Revision-Date: 2014-03-21 21:36+0100\n" |
1491 | "Last-Translator: Andreas Rönnquist <gusnan@gusnan.se>\n" |
1492 | "Language-Team: Swedish\n" |
1493 | @@ -56,3 +56,28 @@ msgstr "" |
1494 | "sådana angrepp). Dock så kan detta förstöra system som förväntas kunna " |
1495 | "använda SSH som root med hjälp av lösenordsautentisering. Du skall endast " |
1496 | "göra denna förändring om du inte har ett behov av att kunna göra detta." |
1497 | + |
1498 | +#. Type: error |
1499 | +#. Description |
1500 | +#: ../openssh-server.templates:3001 |
1501 | +msgid "Not migrating to socket activation" |
1502 | +msgstr "" |
1503 | + |
1504 | +#. Type: error |
1505 | +#. Description |
1506 | +#: ../openssh-server.templates:3001 |
1507 | +msgid "" |
1508 | +"This version of openssh-server uses socket-based activation by default. " |
1509 | +"However, because you have more than one ListenAddress configured in " |
1510 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1511 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1512 | +"unreliable." |
1513 | +msgstr "" |
1514 | + |
1515 | +#. Type: error |
1516 | +#. Description |
1517 | +#: ../openssh-server.templates:3001 |
1518 | +msgid "" |
1519 | +"Because a failure to start ssh may make it impossible to admininister a " |
1520 | +"system, you will not be migrated to socket-based activation at this time." |
1521 | +msgstr "" |
1522 | diff --git a/debian/po/templates.pot b/debian/po/templates.pot |
1523 | index 47c9e36..c9dc5ba 100644 |
1524 | --- a/debian/po/templates.pot |
1525 | +++ b/debian/po/templates.pot |
1526 | @@ -1,6 +1,6 @@ |
1527 | # SOME DESCRIPTIVE TITLE. |
1528 | # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER |
1529 | -# This file is distributed under the same license as the PACKAGE package. |
1530 | +# This file is distributed under the same license as the openssh package. |
1531 | # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. |
1532 | # |
1533 | #, fuzzy |
1534 | @@ -8,7 +8,7 @@ msgid "" |
1535 | msgstr "" |
1536 | "Project-Id-Version: openssh\n" |
1537 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1538 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1539 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1540 | "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" |
1541 | "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" |
1542 | "Language-Team: LANGUAGE <LL@li.org>\n" |
1543 | @@ -44,3 +44,28 @@ msgid "" |
1544 | "able to SSH as root using password authentication. You should only make this " |
1545 | "change if you do not need to do that." |
1546 | msgstr "" |
1547 | + |
1548 | +#. Type: error |
1549 | +#. Description |
1550 | +#: ../openssh-server.templates:3001 |
1551 | +msgid "Not migrating to socket activation" |
1552 | +msgstr "" |
1553 | + |
1554 | +#. Type: error |
1555 | +#. Description |
1556 | +#: ../openssh-server.templates:3001 |
1557 | +msgid "" |
1558 | +"This version of openssh-server uses socket-based activation by default. " |
1559 | +"However, because you have more than one ListenAddress configured in " |
1560 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1561 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1562 | +"unreliable." |
1563 | +msgstr "" |
1564 | + |
1565 | +#. Type: error |
1566 | +#. Description |
1567 | +#: ../openssh-server.templates:3001 |
1568 | +msgid "" |
1569 | +"Because a failure to start ssh may make it impossible to admininister a " |
1570 | +"system, you will not be migrated to socket-based activation at this time." |
1571 | +msgstr "" |
1572 | diff --git a/debian/po/tr.po b/debian/po/tr.po |
1573 | index 1ada041..fd6bde5 100644 |
1574 | --- a/debian/po/tr.po |
1575 | +++ b/debian/po/tr.po |
1576 | @@ -7,15 +7,15 @@ msgid "" |
1577 | msgstr "" |
1578 | "Project-Id-Version: openssh-server\n" |
1579 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" |
1580 | -"POT-Creation-Date: 2014-03-20 02:06+0000\n" |
1581 | +"POT-Creation-Date: 2022-09-23 19:34+0000\n" |
1582 | "PO-Revision-Date: 2014-08-01 14:44+0200\n" |
1583 | "Last-Translator: Mert Dirik <mertdirik@gmail.com>\n" |
1584 | "Language-Team: Debian L10n Turkish <debian-l10n-turkish@lists.debian.org>\n" |
1585 | +"Language: tr\n" |
1586 | "MIME-Version: 1.0\n" |
1587 | "Content-Type: text/plain; charset=UTF-8\n" |
1588 | "Content-Transfer-Encoding: 8bit\n" |
1589 | "X-Generator: Poedit 1.5.4\n" |
1590 | -"Language: tr\n" |
1591 | |
1592 | #. Type: boolean |
1593 | #. Description |
1594 | @@ -56,3 +56,28 @@ msgstr "" |
1595 | "parola doğrulama yöntemiyle oturum açılabileceği varsayımıyla hareket eden " |
1596 | "sistemlerde eskiden çalışan düzenin bozulmasına sebep olacaktır. Bu " |
1597 | "değişikliği yalnızca sorun çıkarmayacağından eminseniz yapın." |
1598 | + |
1599 | +#. Type: error |
1600 | +#. Description |
1601 | +#: ../openssh-server.templates:3001 |
1602 | +msgid "Not migrating to socket activation" |
1603 | +msgstr "" |
1604 | + |
1605 | +#. Type: error |
1606 | +#. Description |
1607 | +#: ../openssh-server.templates:3001 |
1608 | +msgid "" |
1609 | +"This version of openssh-server uses socket-based activation by default. " |
1610 | +"However, because you have more than one ListenAddress configured in " |
1611 | +"sshd_config, it is impossible to determine at upgrade time if migrating you " |
1612 | +"to socket-based activation would cause the starting of sshd at boot to be " |
1613 | +"unreliable." |
1614 | +msgstr "" |
1615 | + |
1616 | +#. Type: error |
1617 | +#. Description |
1618 | +#: ../openssh-server.templates:3001 |
1619 | +msgid "" |
1620 | +"Because a failure to start ssh may make it impossible to admininister a " |
1621 | +"system, you will not be migrated to socket-based activation at this time." |
1622 | +msgstr "" |
1623 | diff --git a/debian/rules b/debian/rules |
1624 | index 929da55..fec93b5 100755 |
1625 | --- a/debian/rules |
1626 | +++ b/debian/rules |
1627 | @@ -189,8 +189,9 @@ override_dh_installinit: |
1628 | dh_installinit -R --name ssh |
1629 | |
1630 | override_dh_installsystemd: |
1631 | - dh_installsystemd -popenssh-server ssh.service rescue-ssh.target |
1632 | - dh_installsystemd -popenssh-server --no-enable ssh.socket |
1633 | + dh_installsystemd -popenssh-server --no-start --no-stop-on-upgrade ssh.socket |
1634 | + dh_installsystemd -popenssh-server rescue-ssh.target |
1635 | + dh_installsystemd -popenssh-server --no-enable --no-start ssh.service |
1636 | |
1637 | debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in |
1638 | ifeq ($(DEB_HOST_ARCH_OS),linux) |
1639 | diff --git a/debian/systemd/ssh.service b/debian/systemd/ssh.service |
1640 | index 7495d9a..a18105b 100644 |
1641 | --- a/debian/systemd/ssh.service |
1642 | +++ b/debian/systemd/ssh.service |
1643 | @@ -14,8 +14,6 @@ KillMode=process |
1644 | Restart=on-failure |
1645 | RestartPreventExitStatus=255 |
1646 | Type=notify |
1647 | -RuntimeDirectory=sshd |
1648 | -RuntimeDirectoryMode=0755 |
1649 | |
1650 | [Install] |
1651 | WantedBy=multi-user.target |
1652 | diff --git a/debian/tests/control b/debian/tests/control |
1653 | index 8bc480a..1b2a1cd 100644 |
1654 | --- a/debian/tests/control |
1655 | +++ b/debian/tests/control |
1656 | @@ -8,3 +8,9 @@ Depends: devscripts, |
1657 | python3-twisted, |
1658 | sudo, |
1659 | sysvinit-utils, |
1660 | + |
1661 | +Tests: systemd-socket-activation |
1662 | +Restrictions: needs-root allow-stderr needs-reboot |
1663 | +Depends: openssh-client, |
1664 | + openssh-server, |
1665 | + systemd, |
1666 | diff --git a/debian/tests/systemd-socket-activation b/debian/tests/systemd-socket-activation |
1667 | new file mode 100644 |
1668 | index 0000000..b33922c |
1669 | --- /dev/null |
1670 | +++ b/debian/tests/systemd-socket-activation |
1671 | @@ -0,0 +1,62 @@ |
1672 | +#!/bin/bash |
1673 | + |
1674 | +set -euo pipefail |
1675 | + |
1676 | +# LP: #2020474 - we may need to reboot the testbed to finish the openssh-server package upgrade. |
1677 | +if grep -Fqsx openssh-server /run/reboot-required.pkgs && [[ -z "${AUTOPKGTEST_REBOOT_MARK:-""}" ]]; then |
1678 | + /tmp/autopkgtest-reboot 1 |
1679 | +fi |
1680 | + |
1681 | +assert_unit_property() { |
1682 | + local property="$(echo "$2" | awk -F'=' '{print $1}')" |
1683 | + |
1684 | + local expect="$2" |
1685 | + local actual="$(systemctl show -p "$property" "$1")" |
1686 | + |
1687 | + if [[ "$actual" != "$expect" ]]; then |
1688 | + echo "Fail: $1: expected $expect, but got $actual" |
1689 | + return 1 |
1690 | + fi |
1691 | +} |
1692 | + |
1693 | +# Generate RSA key and add it to this user's authorized keys. |
1694 | +ssh-keygen -t rsa -N "" -f "$HOME/.ssh/id_rsa" -q |
1695 | +if [[ -f ~/.ssh/authorized_keys ]]; then |
1696 | + touch ~/.ssh/authorized_keys |
1697 | + chmod 0600 ~/.ssh/authorized_keys |
1698 | +fi |
1699 | +cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys |
1700 | + |
1701 | +# Make sure ssh.service is not running. |
1702 | +echo "Stopping ssh.service..." |
1703 | +systemctl stop ssh.service 2>/dev/null |
1704 | + |
1705 | +# Check that ssh.socket is active and listening. |
1706 | +echo "Checking that ssh.socket is active and listening..." |
1707 | +assert_unit_property ssh.socket "ActiveState=active" |
1708 | +assert_unit_property ssh.socket "SubState=listening" |
1709 | + |
1710 | +# Check that ssh.service is currently inactive/dead. |
1711 | +echo "Checking that ssh.service is inactive/dead..." |
1712 | +assert_unit_property ssh.service "ActiveState=inactive" |
1713 | +assert_unit_property ssh.service "SubState=dead" |
1714 | + |
1715 | +# Check that a connection attempt successfully activates ssh.service. |
1716 | +echo "Checking that a connection attempt activates ssh.service..." |
1717 | +ssh -oStrictHostKeyChecking=no localhost -- /usr/bin/true |
1718 | +assert_unit_property ssh.service "ActiveState=active" |
1719 | +assert_unit_property ssh.service "SubState=running" |
1720 | + |
1721 | +# Check that we can re-execute sshd via systemctl reload. |
1722 | +echo "Checking that sshd can be re-executed..." |
1723 | +systemctl reload ssh.service |
1724 | +assert_unit_property ssh.service "ActiveState=active" |
1725 | +assert_unit_property ssh.service "SubState=running" |
1726 | + |
1727 | +# Check that we can run sshd in debug mode. |
1728 | +echo "Checking sshd can run in debug mode..." |
1729 | +systemctl stop ssh.service 2>/dev/null |
1730 | +sed -i 's/^SSHD_OPTS=.*/SSHD_OPTS=-ddd/g' /etc/default/ssh |
1731 | +ssh -oStrictHostKeyChecking=no localhost -- /usr/bin/true |
1732 | + |
1733 | +echo "Done." |
Uploaded. I'm a bit sad that we didn't manage to drop some of our delta for this, but I'd rather have the new upstream version in the archive now than wait for some hypothetical Debian upload to come :)