Merge ~mirespace/ubuntu/+source/openssh:merge-lp2040406-noble into ubuntu/+source/openssh:debian/sid

Proposed by Miriam España Acebal
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: git-ubuntu bot
Merged at revision: 2543615c4711155154ed33e50d7955ba2829ffcd
Proposed branch: ~mirespace/ubuntu/+source/openssh:merge-lp2040406-noble
Merge into: ubuntu/+source/openssh:debian/sid
Diff against target: 1838 lines (+1213/-112)
31 files modified
debian/README.Debian (+10/-17)
debian/changelog (+299/-0)
debian/control (+2/-1)
debian/openssh-server.postinst (+193/-6)
debian/openssh-server.postrm (+4/-0)
debian/openssh-server.templates (+12/-0)
debian/openssh-server.tmpfile (+2/-0)
debian/openssh-server.ucf-md5sum (+24/-0)
debian/patches/series (+2/-0)
debian/patches/socket-activation-documentation.patch (+50/-0)
debian/patches/systemd-socket-activation.patch (+141/-49)
debian/patches/test-set-UsePAM-no-on-some-tests.patch (+41/-0)
debian/po/cs.po (+26/-1)
debian/po/da.po (+26/-1)
debian/po/de.po (+26/-1)
debian/po/es.po (+26/-1)
debian/po/fr.po (+26/-1)
debian/po/it.po (+26/-1)
debian/po/ja.po (+26/-1)
debian/po/nl.po (+26/-1)
debian/po/pt.po (+26/-1)
debian/po/pt_BR.po (+26/-1)
debian/po/ru.po (+28/-3)
debian/po/sv.po (+26/-1)
debian/po/templates.pot (+27/-2)
debian/po/tr.po (+27/-2)
debian/rules (+2/-2)
debian/systemd/ssh.service (+0/-2)
debian/tests/control (+6/-0)
debian/tests/systemd-socket-activation (+57/-0)
dev/null (+0/-17)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Nick Rosbrook (community) Approve
Ubuntu Sponsors Pending
Canonical Server Reporter Pending
Review via email: mp+459366@code.launchpad.net

Description of the change

Hi team,

PPA for this merge is (the builds are OK there for all archs):

ppa:mirespace/merge-openssh-9.6p1-3-noble-lp2040406
https://launchpad.net/~mirespace/+archive/ubuntu/merge-openssh-9.6p1-3-noble-lp2040406

Usual tags are there:

❯ git tag | grep mirespace
mirespace/logical/1%9.4p1-1ubuntu2
mirespace/new/debian
mirespace/old/debian
mirespace/old/ubuntu
mirespace/reconstruct/1%9.4p1-1ubuntu2
mirespace/split/1%9.4p1-1ubuntu2

Test passed, except for i386 (but it has the same problem since focal):

* Results:
  - openssh/1:9.6p1-3ubuntu1
    + ✅ openssh on noble for amd64 @ 24.01.24 12:55:50 Log️ 🗒️
    + ✅ openssh on noble for amd64 @ 24.01.24 13:00:46 Log️ 🗒️
    + ✅ openssh on noble for amd64 @ 24.01.24 13:03:13 Log️ 🗒️
    + ✅ openssh on noble for arm64 @ 24.01.24 13:43:16 Log️ 🗒️
    + ✅ openssh on noble for arm64 @ 24.01.24 14:12:20 Log️ 🗒️
    + ✅ openssh on noble for armhf @ 24.01.24 13:08:54 Log️ 🗒️
    + ❌ openssh on noble for i386 @ 24.01.24 12:38:10 Log️ 🗒️
      • regress FAIL 🟥
      • systemd-socket-activation PASS 🟩
    + ❌ openssh on noble for i386 @ 24.01.24 12:41:43 Log️ 🗒️
      • regress FAIL 🟥
      • systemd-socket-activation PASS 🟩
    + ✅ openssh on noble for ppc64el @ 24.01.24 12:48:35 Log️ 🗒️
    + ✅ openssh on noble for s390x @ 24.01.24 12:54:23 Log️ 🗒️
* Running: (none)

https://autopkgtest.ubuntu.com/results/autopkgtest-noble-mirespace-merge-openssh-9.6p1-3-noble-lp2040406/?format=plain

Upgrade from previous package well went too:

root@Nopenssh-merge:~# apt list --upgradable
Listing... Done
openssh-client/noble 1:9.6p1-3ubuntu1 amd64 [upgradable from: 1:9.4p1-1ubuntu1]
openssh-server/noble 1:9.6p1-3ubuntu1 amd64 [upgradable from: 1:9.4p1-1ubuntu1]
openssh-sftp-server/noble 1:9.6p1-3ubuntu1 amd64 [upgradable from: 1:9.4p1-1ubuntu1]

root@Nopenssh-merge:~# dpkg -l | grep openssh
ii openssh-client 1:9.6p1-3ubuntu1 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:9.6p1-3ubuntu1 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:9.6p1-3ubuntu1 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
root@Nopenssh-merge:~#

and ssh.server status is the same that in previus package version:

root@Nopenssh-merge:~# systemctl status ssh.service
○ ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; disabled; preset: enabled)
    Drop-In: /etc/systemd/system/ssh.service.d
             └─00-socket.conf
     Active: inactive (dead)
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)

Regarding to this, I have doubts about the change in d/rules, in override_dh_installsystemd, about shh.socket activation for the openssh-server unit service: we have two commits that touch this (and conflicts), one from upstream:

https://salsa.debian.org/ssh-team/openssh/-/commit/da06b7ef32c20de4dd18cd578025d96a9221984b

and one from us:

https://git.launchpad.net/ubuntu/+source/openssh/commit/debian/rules?h=ubuntu/noble-devel&id=693deb935fd5042bbde98d6ee9344f4800612eef

Upstream commit fix LP: #2047082 and I didn’t find a clear motivation for our commit between our bugs, except this discussion:

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1991592

I finally decided to take upstream changes, but this is open for discussion and redone if necessary.

About other bugs that can be fixed with this merge, we have a fix from upstream with this merge for bug 2047082 and bug 2049552. As a low priority bug, maybe the bug 2037703 can be considered to be included here, adding the info in the README.Debian file.

P.S. I'm uploading the packages again for some cosmetic changes in the changelog.

To post a comment you must log in.
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We switched to socket-based activation in kinetic, as documented in README.Debian. I believe you're now switching back to service-based activation, which we definitely shoudn't do without discussion (and also without changing the README.Debian and other documentation to accurately reflect the default).

Revision history for this message
Miriam España Acebal (mirespace) wrote :

Hi Marc,

Thanks for the clarification. My intention in opening the MP was precisely this. I looked for the changelog entry for that commit change [1], which is

  - debian/rules: modify dh_installsystemd invocations for
      socket-activated sshd.

and I found it since Mantic.

Looking for other related commits changes, I saw the one [2] for README.Debian that states "By default, socket-based activation is used on systems that use systemd." and clarify how to disable it, that correspond to the entry changelog

  * debian/README.Debian: document systemd socket activation.

and that one is from Kinetic, yes... so I wasn't sure if the latest change [1] was a modification/improvement/fix/other reason over the socket-based activation.

I will revisit both conflict commits ([1] and [3]) again.

[1] https://git.launchpad.net/ubuntu/+source/openssh/commit/debian/rules?h=ubuntu/noble-devel&id=693deb935fd5042bbde98d6ee9344f4800612eef
[2] https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=ubuntu/noble-devel&id=4c439a9749b427e9dfa8a0f02579b1764550300a
[3] https://salsa.debian.org/ssh-team/openssh/-/commit/da06b7ef32c20de4dd18cd578025d96a9221984b

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is where it was switched to socket-based activation:

openssh (1:9.0p1-1ubuntu1) kinetic; urgency=medium

  * debian/patches/systemd-socket-activation.patch: support systemd
    socket activation.
  * debian/systemd/ssh.socket, debian/systemd/ssh.service: use socket
    activation by default.
  * debian/rules: rejigger dh_installsystemd invocations so ssh.service and
    ssh.socket don't fight.
  * debian/openssh-server.postinst: handle migration of sshd_config options
    to systemd socket options on upgrade.
  * debian/README.Debian: document systemd socket activation.
  * debian/patches/socket-activation-documentation.patch: Document in
    sshd_config(5) that ListenAddress and Port no longer work.
  * debian/openssh-server.templates, debian/openssh-server.postinst: include
    debconf warning about possible service failure with multiple
    ListenAddress settings.

 -- Steve Langasek <email address hidden> Fri, 19 Aug 2022 20:43:16 +0000

Revision history for this message
Nick Rosbrook (enr0n) wrote :

This change needs to be restored:

- debian/rules: modify dh_installsystemd invocations for
  socket-activated sshd.

The conflict with the upstream change is actually very straight forward; just take their invocations for rescue-ssh.target, and keeps ours for ssh.{service,socket}. I.e., our delta with Debian against debian/rules would now look like:

diff --git a/debian/rules b/debian/rules
index c921ece2..dff47135 100755
--- a/debian/rules
+++ b/debian/rules
@@ -189,8 +189,8 @@ override_dh_installinit:
        dh_installinit -R --name ssh

 override_dh_installsystemd:
- dh_installsystemd -popenssh-server ssh.service
- dh_installsystemd -popenssh-server --no-enable ssh.socket
+ dh_installsystemd -popenssh-server --no-start ssh.socket
+ dh_installsystemd -popenssh-server --no-enable --no-start ssh.service
        dh_installsystemd -popenssh-server --no-start rescue-ssh.target

 debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in

review: Needs Fixing
Revision history for this message
Miriam España Acebal (mirespace) wrote :

Thanks Marc, Nick,

The commit's comment guided me and I didn't identify it elsewhere.

I made the change proposed in Nick's comment... I didn't realize the target units were different per change, and I thought it was a mixture that could impact behaviour and that's what I want to bring here to discussion/guidance (I'm sorry if my intention could be misinterpreted as a unilateral change of something)... that is what I understand an MP is for.

I've re-uploaded the package to the ppa. I'll trigger the tests when the packages are published.

Thanks to both of you again.

Revision history for this message
Nick Rosbrook (enr0n) wrote :

I didn't take this as a unilateral change at all, and I agree the MP is an appropriate place to discuss this! I apologize if my review came across the wrong way.

However, the change still doesn't look quite right to me. Looking at your commits, I see changes to d/rules in 1faaf8b6aa and 46ad7bf628. And, the overall debian/rules diff between your branch and pkg/debian/sid shows that we did not keep Debian's rescue-ssh.target change:

nr@six:/t/t/openssh$ git diff pkg/debian/sid mirespace/merge-lp2040406-noble -- debian/rules
diff --git a/debian/rules b/debian/rules
index c921ece2..6b3b6ea5 100755
--- a/debian/rules
+++ b/debian/rules
@@ -189,9 +189,9 @@ override_dh_installinit:
        dh_installinit -R --name ssh

 override_dh_installsystemd:
- dh_installsystemd -popenssh-server ssh.service
- dh_installsystemd -popenssh-server --no-enable ssh.socket
- dh_installsystemd -popenssh-server --no-start rescue-ssh.target
+ dh_installsystemd -popenssh-server --no-start ssh.socket
+ dh_installsystemd -popenssh-server --no-enable --no-start ssh.service
+ dh_installsystemd -popenssh-server rescue-ssh.target

 debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in
 ifeq ($(DEB_HOST_ARCH_OS),linux)

review: Needs Fixing
d3f7e60... by Miriam España Acebal

merge-changelogs

6937802... by Miriam España Acebal

reconstruct-changelog

8256039... by Miriam España Acebal

update-maintainer

2543615... by Miriam España Acebal

changelog 1:9.6p1-3ubuntu1

Revision history for this message
Miriam España Acebal (mirespace) wrote (last edit ):

Hi Nick,

All good... thanks a lot!

I've redone the merge (crossing fingers this time!) from the beginning. I checked the diff in debian/rules, and maybe this time, it is the correct one:

$ git diff debian/sid..merge-lp2040406-noble -- debian/rules

diff --git a/debian/rules b/debian/rules
index c921ece2..dff47135 100755
--- a/debian/rules
+++ b/debian/rules
@@ -189,8 +189,8 @@ override_dh_installinit:
        dh_installinit -R --name ssh

 override_dh_installsystemd:
- dh_installsystemd -popenssh-server ssh.service
- dh_installsystemd -popenssh-server --no-enable ssh.socket
+ dh_installsystemd -popenssh-server --no-start ssh.socket
+ dh_installsystemd -popenssh-server --no-enable --no-start ssh.service
        dh_installsystemd -popenssh-server --no-start rescue-ssh.target

 debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in

Uploading to the PPA... I'll trigger the test once the package is published.

Thanks again for your review and your time on this.

Revision history for this message
Miriam España Acebal (mirespace) wrote :

Test passed (except the already known for i386):

 + ✅ openssh on noble for amd64 @ 29.01.24 19:15:24 Log️ 🗒️
    + ✅ openssh on noble for arm64 @ 29.01.24 20:21:00 Log️ 🗒️
    + ✅ openssh on noble for armhf @ 29.01.24 20:27:27 Log️ 🗒️
    + ❌ openssh on noble for i386 @ 29.01.24 19:16:35 Log️ 🗒️
      • regress FAIL 🟥
      • systemd-socket-activation PASS 🟩
    + ✅ openssh on noble for ppc64el @ 29.01.24 20:00:17 Log️ 🗒️
    + ✅ openssh on noble for s390x @ 29.01.24 20:05:43 Log️ 🗒️

https://autopkgtest.ubuntu.com/results/autopkgtest-noble-mirespace-merge-openssh-9.6p1-3-noble-lp2040406/

i.e.: noble/<arch>/o/openssh/20240129_*@/log.gz

Revision history for this message
Nick Rosbrook (enr0n) wrote :

Thanks, Miriam! LGTM. Uploading to noble.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: enr0n, mirespace
Uploaders: enr0n
MP auto-approved

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/.gitignore b/debian/.gitignore
2deleted file mode 100644
3index 988323b..0000000
4--- a/debian/.gitignore
5+++ /dev/null
6@@ -1,17 +0,0 @@
7-/*.debhelper*
8-/*substvars
9-/build-deb
10-/build-udeb
11-/files
12-/keygen-test/key1
13-/keygen-test/key1.pub
14-/keygen-test/key2
15-/keygen-test/key2.pub
16-/openssh-client
17-/openssh-client-udeb
18-/openssh-server
19-/openssh-server-udeb
20-/ssh
21-/ssh-askpass-gnome
22-/ssh-krb5
23-/tmp
24diff --git a/debian/README.Debian b/debian/README.Debian
25index 6aab9cb..8067852 100644
26--- a/debian/README.Debian
27+++ b/debian/README.Debian
28@@ -184,23 +184,7 @@ this sshd manually on upgrades.
29 Socket-based activation with systemd
30 ------------------------------------
31
32-If you want to reconfigure systemd to listen on port 22 itself and launch
33-sshd on connection (systemd-style socket activation), then you can run:
34-
35- systemctl disable --now ssh.service
36- systemctl start ssh.socket
37-
38-To roll back this change, run:
39-
40- systemctl stop ssh.socket
41- systemctl enable --now ssh.service
42-
43-Or if you want to make this change permanent:
44-
45- systemctl enable ssh.socket
46-
47-This may be appropriate in environments where minimal footprint is critical
48-(e.g. cloud guests).
49+By default, socket-based activation is used on systems that use systemd.
50
51 The provided ssh.socket unit file sets ListenStream=22. If you need to have
52 it listen on a different address or port, then you will need to do this as
53@@ -216,6 +200,15 @@ follows (modifying ListenStream to match your requirements):
54
55 See systemd.socket(5) for details.
56
57+If you do not want to use socket activation for ssh on your system, you
58+can disable socket activation by running:
59+
60+ systemctl disable --now ssh.socket
61+ rm -f /etc/systemd/system/ssh.service.d/00-socket.conf
62+ rm -f /etc/systemd/system/ssh.socket.d/addresses.conf
63+ systemctl daemon-reload
64+ systemctl enable --now ssh.service
65+
66 Terminating SSH sessions cleanly on shutdown/reboot with systemd
67 ----------------------------------------------------------------
68
69diff --git a/debian/changelog b/debian/changelog
70index b547ae8..8f84740 100644
71--- a/debian/changelog
72+++ b/debian/changelog
73@@ -1,3 +1,36 @@
74+openssh (1:9.6p1-3ubuntu1) noble; urgency=medium
75+
76+ * Merge with Debian unstable (LP: #2040406). Remaining changes:
77+ - debian/rules: modify dh_installsystemd invocations for
78+ socket-activated sshd.
79+ - debian/openssh-server.postinst: handle migration of sshd_config
80+ options to systemd socket options on upgrade.
81+ - debian/README.Debian: document systemd socket activation.
82+ - debian/patches/socket-activation-documentation.patch: Document
83+ in sshd_config(5) that ListenAddress and Port no longer work.
84+ - debian/openssh-server.templates: include debconf prompt
85+ explaining when migration cannot happen due to multiple
86+ ListenAddress values.
87+ - debian/.gitignore: drop file.
88+ - debian/openssh-server.postrm: remove systemd drop-ins for
89+ socket-activated sshd on purge.
90+ - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
91+ - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
92+ /run/sshd creation out of the systemd unit to a tmpfile config
93+ so that sshd can be run manually if necessary without having to
94+ create this directory by hand.
95+ - debian/patches/systemd-socket-activation.patch: Fix sshd
96+ re-execution behavior when socket activation is used.
97+ - debian/tests/systemd-socket-activation: Add autopkgtest
98+ for systemd socket activation functionality.
99+ - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no
100+ for some tests.
101+ * Dropped changes, fixed upstream:
102+ - d/p/fix-ftbfs-with-zlib13.patch: fix ftbfs when using zlib 1.3
103+ (LP #2049552)
104+
105+ -- Miriam España Acebal <miriam.espana@canonical.com> Mon, 29 Jan 2024 11:16:31 +0100
106+
107 openssh (1:9.6p1-3) unstable; urgency=medium
108
109 * Allow passing extra ssh-agent arguments via
110@@ -148,6 +181,59 @@ openssh (1:9.5p1-1) experimental; urgency=medium
111
112 -- Colin Watson <cjwatson@debian.org> Thu, 23 Nov 2023 17:38:07 +0000
113
114+openssh (1:9.4p1-1ubuntu2) noble; urgency=medium
115+
116+ * d/p/fix-ftbfs-with-zlib13.patch: fix ftbfs when using
117+ zlib 1.3 (LP: #2049552).
118+
119+ -- Miriam España Acebal <miriam.espana@canonical.com> Wed, 17 Jan 2024 20:00:55 +0100
120+
121+openssh (1:9.4p1-1ubuntu1) noble; urgency=medium
122+
123+ * Merge with Debian unstable. Remaining changes:
124+ - debian/rules: modify dh_installsystemd invocations for
125+ socket-activated sshd
126+ - debian/openssh-server.postinst: handle migration of sshd_config options
127+ to systemd socket options on upgrade.
128+ - debian/README.Debian: document systemd socket activation.
129+ - debian/patches/socket-activation-documentation.patch: Document in
130+ sshd_config(5) that ListenAddress and Port no longer work.
131+ - debian/openssh-server.templates: include debconf prompt explaining
132+ when migration cannot happen due to multiple ListenAddress values
133+ - debian/.gitignore: drop file
134+ - debian/openssh-server.postrm: remove systemd drop-ins for
135+ socket-activated sshd on purge
136+ - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
137+ - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
138+ /run/sshd creation out of the systemd unit to a tmpfile config so
139+ that sshd can be run manually if necessary without having to create
140+ this directory by hand.
141+ - debian/patches/systemd-socket-activation.patch: Fix sshd
142+ re-execution behavior when socket activation is used
143+ - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
144+ activation functionality.
145+ - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
146+ * Dropped changes, fixed upstream:
147+ - d/p/fix-authorized-principals-command.patch: Fix the situation where
148+ sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand
149+ is also set by checking if the value pointed to by the pointer
150+ 'charptr' is NULL.
151+ - debian/patches/CVE-2023-38408-1.patch: terminate process if requested
152+ to load a PKCS#11 provider that isn't a PKCS#11 provider in
153+ ssh-pkcs11.c.
154+ - debian/patches/CVE-2023-38408-2.patch: disallow remote addition of
155+ FIDO/PKCS11 provider in ssh-agent.1, ssh-agent.c.
156+ - debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries
157+ contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c.
158+ * Dropped changes, affected package versions not published in supported
159+ releases:
160+ - debian/openssh-server.postint: do not try to restart systemd units,
161+ and instead indicate that a reboot is required
162+ - debian/tests/systemd-socket-activation: Reboot the testbed before starting the test
163+ - debian/rules: Do not stop ssh.socket on upgrade
164+
165+ -- Nick Rosbrook <enr0n@ubuntu.com> Mon, 13 Nov 2023 12:47:29 -0500
166+
167 openssh (1:9.4p1-1) unstable; urgency=medium
168
169 * New upstream release (https://www.openssh.com/releasenotes.html#9.4p1):
170@@ -236,6 +322,62 @@ openssh (1:9.3p2-1) unstable; urgency=high
171
172 -- Colin Watson <cjwatson@debian.org> Wed, 19 Jul 2023 22:49:14 +0100
173
174+openssh (1:9.3p1-1ubuntu3) mantic; urgency=medium
175+
176+ * d/p/fix-authorized-principals-command.patch: Fix the situation where
177+ sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand
178+ is also set by checking if the value pointed to by the pointer
179+ 'charptr' is NULL. (LP: #2031942)
180+
181+ -- Michal Maloszewski <michal.maloszewski@canonical.com> Thu, 24 Aug 2023 15:20:27 +0200
182+
183+openssh (1:9.3p1-1ubuntu2) mantic; urgency=medium
184+
185+ * SECURITY UPDATE: remote code execution relating to PKCS#11 providers
186+ - debian/patches/CVE-2023-38408-1.patch: terminate process if requested
187+ to load a PKCS#11 provider that isn't a PKCS#11 provider in
188+ ssh-pkcs11.c.
189+ - debian/patches/CVE-2023-38408-2.patch: disallow remote addition of
190+ FIDO/PKCS11 provider in ssh-agent.1, ssh-agent.c.
191+ - debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries
192+ contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c.
193+ - CVE-2023-38408
194+
195+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 24 Jul 2023 15:01:06 -0400
196+
197+openssh (1:9.3p1-1ubuntu1) mantic; urgency=medium
198+
199+ * Merge with Debian unstable (LP: #2025664). Remaining changes:
200+ - debian/rules: modify dh_installsystemd invocations for
201+ socket-activated sshd
202+ - debian/openssh-server.postinst: handle migration of sshd_config options
203+ to systemd socket options on upgrade.
204+ - debian/README.Debian: document systemd socket activation.
205+ - debian/patches/socket-activation-documentation.patch: Document in
206+ sshd_config(5) that ListenAddress and Port no longer work.
207+ - debian/openssh-server.templates: include debconf prompt explaining
208+ when migration cannot happen due to multiple ListenAddress values
209+ - debian/.gitignore: drop file
210+ - debian/openssh-server.postrm: remove systemd drop-ins for
211+ socket-activated sshd on purge
212+ - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
213+ - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
214+ /run/sshd creation out of the systemd unit to a tmpfile config so
215+ that sshd can be run manually if necessary without having to create
216+ this directory by hand.
217+ - debian/patches/systemd-socket-activation.patch: Fix sshd
218+ re-execution behavior when socket activation is used
219+ - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
220+ activation functionality.
221+ - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
222+ - Ensure smooth upgrade path from versions affected by LP: #2020474:
223+ + debian/openssh-server.postint: do not try to restart systemd units,
224+ and instead indicate that a reboot is required
225+ + debian/tests/systemd-socket-activation: Reboot the testbed before starting the test
226+ + debian/rules: Do not stop ssh.socket on upgrade
227+
228+ -- Nick Rosbrook <nick.rosbrook@canonical.com> Mon, 03 Jul 2023 11:34:47 -0400
229+
230 openssh (1:9.3p1-1) unstable; urgency=medium
231
232 * Debconf translations:
233@@ -293,6 +435,64 @@ openssh (1:9.3p1-1) unstable; urgency=medium
234
235 -- Colin Watson <cjwatson@debian.org> Tue, 20 Jun 2023 01:01:48 +0100
236
237+openssh (1:9.2p1-2ubuntu3) mantic; urgency=medium
238+
239+ * Fix upgrade of openssh-server with active ssh session (LP: #2020474)
240+ - debian/patches/systemd-socket-activation.patch:
241+ + Do force closing of listen sockets in child process
242+ + Set rexec_flag = 0 when sshd is socket-activated so that child process
243+ does not re-exec
244+ - debian/openssh-server.postint:
245+ + When upgrading from affected versions of openssh, do not try to
246+ restart systemd units, and instead indicate that a reboot is required
247+ - debian/tests/systemd-socket-activation:
248+ + Reboot the testbed before starting the test
249+ - debian/rules:
250+ + Do not stop ssh.socket on upgrade
251+ * d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
252+
253+ -- Nick Rosbrook <nick.rosbrook@canonical.com> Wed, 24 May 2023 18:02:11 -0400
254+
255+openssh (1:9.2p1-2ubuntu2) mantic; urgency=medium
256+
257+ * debian/README.Debian: Fix path of addresses.conf drop-in
258+
259+ -- Nick Rosbrook <nick.rosbrook@canonical.com> Tue, 23 May 2023 10:50:35 -0400
260+
261+openssh (1:9.2p1-2ubuntu1) mantic; urgency=medium
262+
263+ * Merge with Debian unstable (LP: #2018094). Remaining changes:
264+ - debian/rules: modify dh_installsystemd invocations for
265+ socket-activated sshd
266+ - debian/openssh-server.postinst: handle migration of sshd_config options
267+ to systemd socket options on upgrade.
268+ - debian/README.Debian: document systemd socket activation.
269+ - debian/patches/socket-activation-documentation.patch: Document in
270+ sshd_config(5) that ListenAddress and Port no longer work.
271+ - debian/openssh-server.templates: include debconf prompt explaining
272+ when migration cannot happen due to multiple ListenAddress values
273+ - debian/.gitignore: drop file
274+ - debian/openssh-server.postrm: remove systemd drop-ins for
275+ socket-activated sshd on purge
276+ - debian/openssh-server.ucf-md5sum: Update list of stock sshd_config
277+ checksums to include those from jammy and kinetic.
278+ - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
279+ /run/sshd creation out of the systemd unit to a tmpfile config so
280+ that sshd can be run manually if necessary without having to create
281+ this directory by hand.
282+ - debian/patches/systemd-socket-activation.patch: Fix sshd
283+ re-execution behavior when socket activation is used
284+ - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
285+ activation functionality.
286+ * Dropped changes, included in Debian:
287+ - debian/patches/systemd-socket-activation.patch: Initial implementation
288+ * New changes:
289+ - debian/README.Debian: mention drop-in configurations in instructions
290+ for disabling sshd socket activation (LP: #2017434).
291+ - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
292+
293+ -- Nick Rosbrook <nick.rosbrook@canonical.com> Fri, 19 May 2023 15:18:17 -0400
294+
295 openssh (1:9.2p1-2) unstable; urgency=medium
296
297 * Fix mistakenly-unreleased entry for 1:9.2p1-1 in debian/NEWS.
298@@ -544,6 +744,105 @@ openssh (1:9.1p1-1) unstable; urgency=medium
299
300 -- Colin Watson <cjwatson@debian.org> Mon, 14 Nov 2022 16:25:45 +0000
301
302+openssh (1:9.0p1-1ubuntu8.1) lunar; urgency=medium
303+
304+ * debian/patches/systemd-socket-activation.patch: Fix re-execution behavior
305+ (LP: #2011458):
306+ - Remove FD_CLOEXEC on fds passed by systemd to prevent automatic closing
307+ when sshd re-executes.
308+ - Do not manually close fds passed by systemd when re-executing.
309+ - Only call sd_listen_fds() once, and only in the parent process.
310+ - Check the LISTEN_FDS environment variable to get the number of fds
311+ passed by systemd when re-executing as a child process.
312+ * debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
313+ activation functionality.
314+
315+ -- Nick Rosbrook <nick.rosbrook@canonical.com> Fri, 31 Mar 2023 12:44:32 -0400
316+
317+openssh (1:9.0p1-1ubuntu8) lunar; urgency=medium
318+
319+ * debian/openssh-server.postinst: Fix handling of ListenAddress when a port
320+ is specified (LP: #1993478):
321+ - Strip port before converting hostnames to numerical addresses.
322+ - Only append ports when the ListenAddress does not already specify a
323+ port.
324+ - Revert socket migration on upgrade if a previous version did the
325+ migration when it should not have.
326+ * debian/openssh-server.postinst: Ignore empty directory failure from rmdir
327+ when skipping socket migration (LP: #1995294).
328+
329+ -- Nick Rosbrook <nick.rosbrook@canonical.com> Tue, 25 Oct 2022 11:57:43 -0400
330+
331+openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium
332+
333+ * Update list of stock sshd_config checksums to include those from
334+ jammy and kinetic.
335+ * Add a workaround for LP: #1990863 (now fixed in livecd-rootfs) to
336+ avoid spurious ucf prompts on upgrade.
337+ * Move /run/sshd creation out of the systemd unit to a tmpfile config
338+ so that sshd can be run manually if necessary without having to create
339+ this directory by hand. LP: #1991283.
340+
341+ [ Nick Rosbrook ]
342+ * debian/openssh-server.postinst: Fix addresses.conf generation when only
343+ non-default Port is used in /etc/ssh/sshd_config (LP: #1991199).
344+
345+ -- Steve Langasek <vorlon@debian.org> Mon, 26 Sep 2022 21:55:14 +0000
346+
347+openssh (1:9.0p1-1ubuntu6) kinetic; urgency=medium
348+
349+ * Fix syntax error in postinst :/
350+
351+ -- Steve Langasek <vorlon@debian.org> Fri, 23 Sep 2022 19:51:32 +0000
352+
353+openssh (1:9.0p1-1ubuntu5) kinetic; urgency=medium
354+
355+ * Correctly handle the case of new installs, and correctly apply systemd
356+ unit overrides on upgrade from existing kinetic systems.
357+
358+ -- Steve Langasek <vorlon@debian.org> Fri, 23 Sep 2022 19:45:18 +0000
359+
360+openssh (1:9.0p1-1ubuntu4) kinetic; urgency=medium
361+
362+ * Don't migrate users to socket activation if multiple ListenAddresses
363+ might make sshd unreliable on boot.
364+ * Fix regexp bug that prevented proper migration of IPv6 address settings.
365+
366+ -- Steve Langasek <vorlon@debian.org> Fri, 23 Sep 2022 19:35:37 +0000
367+
368+openssh (1:9.0p1-1ubuntu3) kinetic; urgency=medium
369+
370+ * Document in the default sshd_config file the changes in behavior
371+ triggered by use of socket-based activation.
372+
373+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 26 Aug 2022 00:40:11 +0000
374+
375+openssh (1:9.0p1-1ubuntu2) kinetic; urgency=medium
376+
377+ * Fix manpage to not claim socket-based activation is the default on
378+ Debian!
379+
380+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 26 Aug 2022 00:21:42 +0000
381+
382+openssh (1:9.0p1-1ubuntu1) kinetic; urgency=medium
383+
384+ * debian/patches/systemd-socket-activation.patch: support systemd
385+ socket activation.
386+ * debian/systemd/ssh.socket, debian/systemd/ssh.service: use socket
387+ activation by default.
388+ * debian/rules: rejigger dh_installsystemd invocations so ssh.service and
389+ ssh.socket don't fight.
390+ * debian/openssh-server.postinst: handle migration of sshd_config options
391+ to systemd socket options on upgrade.
392+ * debian/README.Debian: document systemd socket activation.
393+ * debian/patches/socket-activation-documentation.patch: Document in
394+ sshd_config(5) that ListenAddress and Port no longer work.
395+ * debian/openssh-server.templates, debian/openssh-server.postinst: include
396+ debconf warning about possible service failure with multiple
397+ ListenAddress settings.
398+
399+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 19 Aug 2022 20:43:16 +0000
400+
401 openssh (1:9.0p1-1) unstable; urgency=medium
402
403 * New upstream release (https://www.openssh.com/releasenotes.html#9.0p1):
404diff --git a/debian/control b/debian/control
405index b2dbb80..e93b516 100644
406--- a/debian/control
407+++ b/debian/control
408@@ -1,7 +1,8 @@
409 Source: openssh
410 Section: net
411 Priority: standard
412-Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
413+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
414+XSBC-Original-Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
415 Build-Depends: debhelper (>= 13.1~),
416 debhelper-compat (= 13),
417 dh-exec,
418diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
419index 4114d35..cb9a301 100644
420--- a/debian/openssh-server.postinst
421+++ b/debian/openssh-server.postinst
422@@ -17,6 +17,87 @@ get_config_option() {
423 /usr/sbin/sshd -G | sed -n "s/^$option //Ip"
424 }
425
426+get_config_option_all() {
427+ option="$1"
428+ file="$2"
429+
430+ if [ -z "$file" ]; then
431+ file=/etc/ssh/sshd_config
432+ fi
433+
434+ [ -f "$file" ] || return 0
435+ # ListenAddress and Port only take a single word argument so anything
436+ # after this must be a comment
437+ while read option2 value junk; do
438+ case $option2 in
439+ $option)
440+ echo $value
441+ ;;
442+ Include)
443+ # globs
444+ for f in $value; do
445+ get_config_option_all "$option" "$f"
446+ done
447+ ;;
448+ esac
449+ done < $file
450+}
451+
452+hostnames_to_addresses() {
453+ addresses="$1"
454+ for address in $addresses; do
455+ address_no_port="$(address_strip_port $address)"
456+ if echo "$address_no_port" | grep -q '^[0-9a-f:]\+$\|^[0-9.]\+$'; then
457+ numeric_addresses="$numeric_addresses $address"
458+ else
459+ new_addresses=$( (getent ahostsv4 $address_no_port;
460+ getent ahostsv6 $address_no_port) \
461+ | awk '$1 ~ /^::ffff:/ || $2 != "STREAM" { next; }
462+ $1 ~ /:/ { print "[" $1 "]"; next; }
463+ { print $1 }' \
464+ | sort -u)
465+ port="$(port_from_address $address)"
466+ if [ -n "$port" ]; then
467+ new_addresses="$(for addr in $new_addresses; do echo $addr:$port; done)"
468+ fi
469+ numeric_addresses="$numeric_addresses $new_addresses"
470+ fi
471+ done
472+ echo "$numeric_addresses"
473+}
474+
475+port_from_address() {
476+ address="$1"
477+ if echo $address | grep -q '^\[[0-9a-f:]*\]:'; then
478+ # This is an IPv6 address with a port.
479+ port="$(echo $address | awk -F':' '{print $NF}')"
480+ elif echo $address | grep -q '^\[[0-9a-f:]*\]\+$\|^[0-9a-f:]\+$'; then
481+ # This is an IPv6 address without a port.
482+ port=""
483+ else
484+ # This is an IPv4 address or hostname, where the port
485+ # may or may not be specified.
486+ port="$(echo $address | awk -F':' '{print $2}')"
487+ fi
488+ echo "$port"
489+}
490+
491+address_strip_port() {
492+ address="$1"
493+ if echo $address | grep -q '^\[[0-9a-f:]*\]\(:\|$\)'; then
494+ # This is an IPv6 address in brackets, with or without a port.
495+ address_no_port="$(echo $address | awk -F '[][]' '{print $2}')"
496+ elif echo $address | grep -q '^[0-9a-f:]\+$'; then
497+ # This is an IPv6 address with no brackets and no port.
498+ address_no_port="$address"
499+ else
500+ # This is an IPv4 address or hostname, where the port
501+ # may or may not be specified.
502+ address_no_port="$(echo $address | awk -F':' '{print $1}')"
503+ fi
504+ echo "$address_no_port"
505+}
506+
507
508 create_key() {
509 msg="$1"
510@@ -54,15 +135,20 @@ create_keys() {
511
512
513 new_config=
514+workaround=
515
516 cleanup() {
517 if [ "$new_config" ]; then
518 rm -f "$new_config"
519 fi
520+ if [ "$workaround" ]; then
521+ rm -f "$workaround"
522+ fi
523 }
524
525
526 create_sshdconfig() {
527+ prev_ver="$1"
528 # XXX cjwatson 2016-12-24: This debconf template is very confusingly
529 # named; its description is "Disable SSH password authentication for
530 # root?", so true -> prohibit-password (the upstream default),
531@@ -84,6 +170,21 @@ create_sshdconfig() {
532 "$new_config"
533 fi
534 mkdir -pZ /etc/ssh
535+
536+ # Workaround for LP: #1968873: if we have an sshd_config with a known
537+ # checksum, confirm it via ucf before applying the changes from
538+ # the new version.
539+ if dpkg --compare-versions "$prev_ver" lt-nl 1:9.0p1-1ubuntu7 \
540+ && grep -q "^$(md5sum /etc/ssh/sshd_config | awk '{ print $1 }')" \
541+ /usr/share/openssh/sshd_config.md5sum
542+ then
543+ workaround="$(mktemp)"
544+ sed -e'14,16d' "$new_config" > "$workaround"
545+ ucf --three-way --debconf-ok \
546+ --sum-file /usr/share/openssh/sshd_config.md5sum \
547+ "$workaround" /etc/ssh/sshd_config
548+ fi
549+
550 ucf --three-way --debconf-ok \
551 --sum-file /usr/share/openssh/sshd_config.md5sum \
552 "$new_config" /etc/ssh/sshd_config
553@@ -97,7 +198,7 @@ setup_sshd_user() {
554 }
555
556 if [ "$action" = configure ]; then
557- create_sshdconfig
558+ create_sshdconfig "$2"
559 create_keys
560 setup_sshd_user
561 if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \
562@@ -110,18 +211,104 @@ if [ "$action" = configure ]; then
563 # which we now move back into place.
564 mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli
565 fi
566- if dpkg --compare-versions "$2" lt-nl 1:9.1p1-1~ && \
567- deb-systemd-helper --quiet was-enabled ssh.socket && \
568- [ -d /run/systemd/system ]
569+ if dpkg --compare-versions "$2" lt-nl 1:9.0p1-1ubuntu8~
570 then
571 # migrate to systemd socket activation.
572- systemctl unmask ssh.service
573- systemctl disable ssh.service
574+ addresses=$(get_config_option_all ListenAddress)
575+ addresses=$(hostnames_to_addresses "$addresses")
576+ ports=$(get_config_option_all Port)
577+ if [ -n "$addresses$ports" ]
578+ then
579+ override_dir=/etc/systemd/system/ssh.socket.d
580+ mkdir -p "$override_dir"
581+ echo '[Socket]' > "$override_dir"/addresses.conf.new
582+ echo 'ListenStream=' >> "$override_dir"/addresses.conf.new
583+ fi
584+ if [ -n "$addresses" ]; then
585+ [ -n "$ports" ] || ports=22
586+ count=0
587+ for address in $addresses; do
588+ count=$((count+1))
589+ port_from_address="$(port_from_address $address)"
590+ if [ -z "$port_from_address" ]; then
591+ for port in $ports; do
592+ echo "ListenStream=$address:$port" \
593+ >> "$override_dir"/addresses.conf.new
594+ done
595+ else
596+ echo "ListenStream=$address" \
597+ >> "$override_dir"/addresses.conf.new
598+ fi
599+ done
600+ if [ $count -gt 1 ]; then
601+ db_input critical openssh-server/listenstream-may-fail || true
602+ db_go || true
603+ rm -f "$override_dir"/addresses.conf.new
604+ rmdir --ignore-fail-on-non-empty "$override_dir"
605+ NO_SOCKET_MIGRATION=1
606+ fi
607+ elif [ -n "$ports" ]; then
608+ for port in $ports; do
609+ echo "ListenStream=$port" \
610+ >> "$override_dir"/addresses.conf.new
611+ done
612+ fi
613+
614+ if [ -z "$NO_SOCKET_MIGRATION" ] && [ -n "$addresses$ports" ]
615+ then
616+ mv "$override_dir"/addresses.conf.new \
617+ "$override_dir"/addresses.conf
618+ fi
619 fi
620+ if dpkg --compare-versions "$2" lt 1:9.0p1-1ubuntu5~; then
621+ if [ -z "$NO_SOCKET_MIGRATION" ]; then
622+ override_dir=/etc/systemd/system/ssh.service.d
623+ mkdir -p "$override_dir"
624+ echo '[Unit]' > "$override_dir"/00-socket.conf
625+ echo 'After=ssh.socket' >> "$override_dir"/00-socket.conf
626+ echo 'Requires=ssh.socket' >> "$override_dir"/00-socket.conf
627+
628+ # deb-systemd-helper is inadequate for the task of
629+ # changing policy for the units on upgrade
630+ if [ -d /run/systemd/system ]; then
631+ systemctl daemon-reload
632+ systemctl disable ssh.service
633+ systemctl unmask ssh.service
634+ systemctl stop ssh.service
635+ systemctl enable ssh.socket
636+ fi
637+ fi
638+ fi
639+
640+ # Revert socket migration if we can determine the user hit
641+ # LP: #1993478.
642+ if dpkg --compare-versions "$2" lt-nl 1:9.0p1-1ubuntu7~ \
643+ && [ -e /etc/systemd/system/ssh.socket.d/addresses.conf ] \
644+ && [ -e /etc/systemd/system/ssh.service.d/00-socket.conf ] \
645+ && [ -n "$NO_SOCKET_MIGRATION" ]; then
646+ rm /etc/systemd/system/ssh.socket.d/addresses.conf
647+ rmdir --ignore-fail-on-non-empty /etc/systemd/system/ssh.socket.d
648+ rm /etc/systemd/system/ssh.service.d/00-socket.conf
649+ rmdir --ignore-fail-on-non-empty /etc/systemd/system/ssh.service.d
650+ if [ -d /run/systemd/system ]; then
651+ systemctl daemon-reload
652+ systemctl disable ssh.socket
653+ systemctl stop ssh.socket
654+ systemctl enable ssh.service
655+ fi
656+ fi
657 fi
658
659 #DEBHELPER#
660
661+if [ -d /run/systemd/system ]; then
662+ if deb-systemd-helper --quiet was-enabled ssh.socket; then
663+ deb-systemd-invoke restart ssh.socket
664+ elif deb-systemd-helper --quiet was-enabled ssh.service; then
665+ deb-systemd-invoke restart ssh.service
666+ fi
667+fi
668+
669 db_stop
670
671 exit 0
672diff --git a/debian/openssh-server.postrm b/debian/openssh-server.postrm
673index fbaeb17..46798dd 100644
674--- a/debian/openssh-server.postrm
675+++ b/debian/openssh-server.postrm
676@@ -23,6 +23,10 @@ case $1 in
677 if command -v ucfr >/dev/null 2>&1; then
678 ucfr --purge openssh-server /etc/ssh/sshd_config
679 fi
680+ rm -f /etc/systemd/system/ssh.service.d/00-socket.conf
681+ rm -f /etc/systemd/system/ssh.socket.d/addresses.conf
682+ rmdir /etc/systemd/system/ssh.service.d || true
683+ rmdir /etc/systemd/system/ssh.socket.d || true
684 rm -f /etc/ssh/sshd_not_to_be_run
685 [ ! -d /etc/ssh ] || rmdir --ignore-fail-on-non-empty /etc/ssh
686
687diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates
688index e071fe3..31f2935 100644
689--- a/debian/openssh-server.templates
690+++ b/debian/openssh-server.templates
691@@ -21,3 +21,15 @@ Description: Allow password authentication?
692 By default, the SSH server will allow authenticating using a password.
693 You may want to change this if all users on this system authenticate using
694 a stronger authentication method, such as public keys.
695+
696+Template: openssh-server/listenstream-may-fail
697+Type: error
698+_Description: Not migrating to socket activation
699+ This version of openssh-server uses socket-based activation by default.
700+ However, because you have more than one ListenAddress configured in
701+ sshd_config, it is impossible to determine at upgrade time if migrating
702+ you to socket-based activation would cause the starting of sshd at boot
703+ to be unreliable.
704+ .
705+ Because a failure to start ssh may make it impossible to admininister a
706+ system, you will not be migrated to socket-based activation at this time.
707diff --git a/debian/openssh-server.tmpfile b/debian/openssh-server.tmpfile
708new file mode 100644
709index 0000000..76c6323
710--- /dev/null
711+++ b/debian/openssh-server.tmpfile
712@@ -0,0 +1,2 @@
713+#Type Path Mode UID GID Age Arguments
714+D /run/sshd 0755 root root - -
715diff --git a/debian/openssh-server.ucf-md5sum b/debian/openssh-server.ucf-md5sum
716index 3a9dc23..9a8efb6 100644
717--- a/debian/openssh-server.ucf-md5sum
718+++ b/debian/openssh-server.ucf-md5sum
719@@ -103,8 +103,32 @@ cc873ab3ccc9cf3a3830c3c0728c0d0b
720 9f1bec115595c0f76282d80abe5d9bcc
721 ae1a449c8adb31cb603e28fda5342696
722
723+# From 1:8.4p1-5
724+6dbdc3a27e1953d209f929df7aff0c57
725+0ef8c8fe6a3afd12382dbb93cd7bbb4e
726+ae1a449c8adb31cb603e28fda5342696
727+9f1bec115595c0f76282d80abe5d9bcc
728+
729 # From 1:8.7p1-1:
730 fe83fd23553510bb632dc8e6e35ab41a
731 d96ecd9064ea650c44372a5a33d3e497
732 7fdb195ac56e0bf1992e18ac656811af
733 4e03b4df60cd00c651777ec14ff76aef
734+
735+# From 1:8.9p1-3
736+30e0fe758429c57d35a5e71dbd8dd2f8
737+23a8a2b1a8f1538be49eb86313367191
738+133f5f0119fbf5716b7d72048b25ea71
739+697a81708f11897cb0fef857563dee55
740+
741+# From 1:9.0p1-1ubuntu3
742+90ace5da6c7eb3041732930972662f34
743+b2c07b86695152141e84f44e4414104a
744+e7b9120b6e68c5666ac21a0cc03d4806
745+9389be84e67cd5a91b97de5ff03c9306
746+
747+# From 1:9.2p1-2ubuntu1
748+fac56840f6697a357368bb878dd8fb87
749+d01da8c9de75176095712d4e37d5dcd5
750+e4898846045f33b8d99d3263d6f6fd81
751+ec46dc59ba9c9e9458add405264fcedd
752diff --git a/debian/patches/series b/debian/patches/series
753index 2170a6a..42a873f 100644
754--- a/debian/patches/series
755+++ b/debian/patches/series
756@@ -26,3 +26,5 @@ maxhostnamelen.patch
757 conch-ssh-rsa.patch
758 systemd-socket-activation.patch
759 broken-zero-call-used-regs.patch
760+socket-activation-documentation.patch
761+test-set-UsePAM-no-on-some-tests.patch
762diff --git a/debian/patches/socket-activation-documentation.patch b/debian/patches/socket-activation-documentation.patch
763new file mode 100644
764index 0000000..9afde55
765--- /dev/null
766+++ b/debian/patches/socket-activation-documentation.patch
767@@ -0,0 +1,50 @@
768+Index: openssh-9.0p1/sshd_config.5
769+===================================================================
770+--- openssh-9.0p1.orig/sshd_config.5
771++++ openssh-9.0p1/sshd_config.5
772+@@ -1069,6 +1069,15 @@
773+ Multiple
774+ .Cm ListenAddress
775+ options are permitted.
776++.Pp
777++.Cm Note:
778++On Ubuntu, the openssh-server package is configured to use systemd
779++socket-based activation by default. Therefore if you are using systemd with
780++the default configuration,
781++.Cm ListenAddress
782++options will not be honored. Address configuration must be handled in
783++.Pa /etc/systemd/system/ssh.socket.d
784++instead.
785+ .It Cm LoginGraceTime
786+ The server disconnects after this time if the user has not
787+ successfully logged in.
788+@@ -1520,6 +1529,15 @@
789+ Multiple options of this type are permitted.
790+ See also
791+ .Cm ListenAddress .
792++.Pp
793++.Cm Note:
794++On Ubuntu, the openssh-server package is configured to use systemd
795++socket-based activation by default. Therefore if you are using systemd with
796++the default configuration,
797++.Cm Port
798++options will not be honored. Address configuration must be handled in
799++.Pa /etc/systemd/system/ssh.socket.d
800++instead.
801+ .It Cm PrintLastLog
802+ Specifies whether
803+ .Xr sshd 8
804+Index: openssh-9.0p1/sshd_config
805+===================================================================
806+--- openssh-9.0p1.orig/sshd_config
807++++ openssh-9.0p1/sshd_config
808+@@ -12,6 +12,9 @@
809+
810+ Include /etc/ssh/sshd_config.d/*.conf
811+
812++# Port and ListenAddress options are not used when sshd is socket-activated,
813++# which is now the default in Ubuntu. See sshd_config(5) and
814++# /usr/share/doc/openssh-server/README.Debian.gz for details.
815+ #Port 22
816+ #AddressFamily any
817+ #ListenAddress 0.0.0.0
818diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch
819index 73afb88..8e1ce7c 100644
820--- a/debian/patches/systemd-socket-activation.patch
821+++ b/debian/patches/systemd-socket-activation.patch
822@@ -1,47 +1,72 @@
823-From 7fa10262be3c7d9fd2fca9c9710ac4ef3f788b08 Mon Sep 17 00:00:00 2001
824-From: Steve Langasek <steve.langasek@ubuntu.com>
825-Date: Thu, 1 Sep 2022 16:03:37 +0100
826-Subject: Support systemd socket activation
827+Description: support systemd socket activation
828+ Unlike inetd socket activation, with systemd socket activation the
829+ supervisor passes the listened-on socket to the child process and lets
830+ the child process handle the accept(). This lets us do delayed start
831+ of the sshd daemon without becoming incompatible with config options
832+ like ClientAliveCountMax.
833+Author: Steve Langasek <steve.langasek@ubuntu.com>
834+Author: Nick Rosbrook <nick.rosbrook@canonical.com>
835+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2011458
836+Last-Update: 2023-05-25
837
838-Unlike inetd socket activation, with systemd socket activation the
839-supervisor passes the listened-on socket to the child process and lets
840-the child process handle the accept(). This lets us do delayed start
841-of the sshd daemon without becoming incompatible with config options
842-like ClientAliveCountMax.
843-
844-Last-Update: 2022-09-01
845-
846-Patch-Name: systemd-socket-activation.patch
847----
848- sshd.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++---------
849- 1 file changed, 75 insertions(+), 14 deletions(-)
850-
851-diff --git a/sshd.c b/sshd.c
852-index 356bd6c02..6dfa5fffe 100644
853 --- a/sshd.c
854 +++ b/sshd.c
855-@@ -140,10 +140,16 @@ int deny_severity;
856+@@ -139,11 +139,14 @@
857+ int deny_severity;
858 #endif /* LIBWRAP */
859
860++/* This will only get set if we build with systemd. */
861++static int systemd_num_listen_fds;
862++
863 /* Re-exec fds */
864 -#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
865 -#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
866 -#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3)
867 -#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4)
868-+#ifdef HAVE_SYSTEMD
869-+#define SYSTEMD_OFFSET sd_listen_fds(0)
870-+#else
871-+#define SYSTEMD_OFFSET 0
872-+#endif
873-+
874-+#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1 + SYSTEMD_OFFSET)
875-+#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2 + SYSTEMD_OFFSET)
876-+#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3 + SYSTEMD_OFFSET)
877-+#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4 + SYSTEMD_OFFSET)
878++#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1 + systemd_num_listen_fds)
879++#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2 + systemd_num_listen_fds)
880++#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3 + systemd_num_listen_fds)
881++#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4 + systemd_num_listen_fds)
882
883 extern char *__progname;
884
885-@@ -1020,6 +1026,48 @@ server_accept_inetd(int *sock_in, int *sock_out)
886+@@ -194,6 +197,7 @@
887+ */
888+ #define MAX_LISTEN_SOCKS 16
889+ static int listen_socks[MAX_LISTEN_SOCKS];
890++static int listen_socks_no_close[MAX_LISTEN_SOCKS];
891+ static int num_listen_socks = 0;
892+
893+ /* Daemon's agent connection */
894+@@ -279,12 +283,16 @@
895+ * Close all listening sockets
896+ */
897+ static void
898+-close_listen_socks(void)
899++close_listen_socks(int force)
900+ {
901+ int i;
902+
903+- for (i = 0; i < num_listen_socks; i++)
904++ for (i = 0; i < num_listen_socks; i++) {
905++ if (listen_socks_no_close[i] > 0 && force <= 0)
906++ continue;
907++
908+ close(listen_socks[i]);
909++ }
910+ num_listen_socks = 0;
911+ }
912+
913+@@ -322,7 +330,7 @@
914+ if (options.pid_file != NULL)
915+ unlink(options.pid_file);
916+ platform_pre_restart();
917+- close_listen_socks();
918++ close_listen_socks(/* force = */ 0);
919+ close_startup_pipes();
920+ ssh_signal(SIGHUP, SIG_IGN); /* will be restored after exec */
921+ execv(saved_argv[0], saved_argv);
922+@@ -1020,6 +1028,65 @@
923 debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
924 }
925
926@@ -52,7 +77,7 @@ index 356bd6c02..6dfa5fffe 100644
927 +static void
928 +setup_systemd_socket(int listen_sock)
929 +{
930-+ int ret;
931++ int flags, ret;
932 + struct sockaddr_storage addr;
933 + socklen_t len = sizeof(addr);
934 + char ntop[NI_MAXHOST], strport[NI_MAXSERV];
935@@ -77,10 +102,27 @@ index 356bd6c02..6dfa5fffe 100644
936 + close(listen_sock);
937 + return;
938 + }
939++
940 + /* Socket options */
941 + set_reuseaddr(listen_sock);
942 +
943++ /* systemd sets FD_CLOEXEC on the fds it passes to us, but we need this
944++ * to stay open across re-exec. */
945++ flags = fcntl(listen_sock, F_GETFD);
946++ if (flags < 0) {
947++ error("Failed to get fd flags: %s", strerror(errno));
948++ close(listen_sock);
949++ return;
950++ }
951++
952++ if (fcntl(listen_sock, F_SETFD, flags & ~FD_CLOEXEC) < 0) {
953++ error("Failed to clear FD_CLOEXEC flag: %s", strerror(errno));
954++ close(listen_sock);
955++ return;
956++ }
957++
958 + listen_socks[num_listen_socks] = listen_sock;
959++ listen_socks_no_close[num_listen_socks] = 1;
960 + num_listen_socks++;
961 +
962 + logit("Server listening on %s port %s.", ntop, strport);
963@@ -90,15 +132,7 @@ index 356bd6c02..6dfa5fffe 100644
964 /*
965 * Listen for TCP connections
966 */
967-@@ -1099,22 +1147,35 @@ static void
968- server_listen(void)
969- {
970- u_int i;
971-+#ifdef HAVE_SYSTEMD
972-+ int systemd_socket_count;
973-+#endif
974-
975- /* Initialise per-source limit tracking. */
976+@@ -1104,17 +1171,26 @@
977 srclimit_init(options.max_startups, options.per_source_max_startups,
978 options.per_source_masklen_ipv4, options.per_source_masklen_ipv6);
979
980@@ -108,12 +142,16 @@ index 356bd6c02..6dfa5fffe 100644
981 - free(options.listen_addrs[i].rdomain);
982 - memset(&options.listen_addrs[i], 0,
983 - sizeof(options.listen_addrs[i]));
984+- }
985+- free(options.listen_addrs);
986+- options.listen_addrs = NULL;
987+- options.num_listen_addrs = 0;
988+-
989 +#ifdef HAVE_SYSTEMD
990-+ systemd_socket_count = sd_listen_fds(0);
991-+ if (systemd_socket_count > 0)
992++ if (systemd_num_listen_fds > 0)
993 + {
994 + int i;
995-+ for (i = 0; i < systemd_socket_count; i++)
996++ for (i = 0; i < systemd_num_listen_fds; i++)
997 + setup_systemd_socket(SD_LISTEN_FDS_START + i);
998 + } else
999 +#endif
1000@@ -128,11 +166,65 @@ index 356bd6c02..6dfa5fffe 100644
1001 + free(options.listen_addrs);
1002 + options.listen_addrs = NULL;
1003 + options.num_listen_addrs = 0;
1004- }
1005-- free(options.listen_addrs);
1006-- options.listen_addrs = NULL;
1007-- options.num_listen_addrs = 0;
1008--
1009++ }
1010 if (!num_listen_socks)
1011 fatal("Cannot bind any address.");
1012 }
1013+@@ -1169,7 +1245,7 @@
1014+ if (received_sigterm) {
1015+ logit("Received signal %d; terminating.",
1016+ (int) received_sigterm);
1017+- close_listen_socks();
1018++ close_listen_socks(/* force = */ 1);
1019+ if (options.pid_file != NULL)
1020+ unlink(options.pid_file);
1021+ exit(received_sigterm == SIGTERM ? 0 : 255);
1022+@@ -1183,7 +1259,7 @@
1023+ if (received_sighup) {
1024+ if (!lameduck) {
1025+ debug("Received SIGHUP; waiting for children");
1026+- close_listen_socks();
1027++ close_listen_socks(/* force = */ 0);
1028+ lameduck = 1;
1029+ }
1030+ if (listening <= 0) {
1031+@@ -1310,7 +1386,7 @@
1032+ * connection without forking.
1033+ */
1034+ debug("Server will not fork when running in debugging mode.");
1035+- close_listen_socks();
1036++ close_listen_socks(/* force = */ 0);
1037+ *sock_in = *newsock;
1038+ *sock_out = *newsock;
1039+ close(startup_p[0]);
1040+@@ -1344,7 +1420,7 @@
1041+ platform_post_fork_child();
1042+ startup_pipe = startup_p[1];
1043+ close_startup_pipes();
1044+- close_listen_socks();
1045++ close_listen_socks(/* force = */ 1);
1046+ *sock_in = *newsock;
1047+ *sock_out = *newsock;
1048+ log_init(__progname,
1049+@@ -1715,6 +1791,21 @@
1050+ break;
1051+ }
1052+ }
1053++
1054++#ifdef HAVE_SYSTEMD
1055++ /* We should call sd_listen_fds() exactly once. If we call
1056++ * sd_listen_fds() more than once, then FD_CLOEXEC will be
1057++ * re-configured for the passed fds, which will cause problems during
1058++ * re-execution. The FD_CLOEXEC flag will be cleared by
1059++ * setup_systemd_socket(). */
1060++ r = sd_listen_fds(0);
1061++ if (r < 0)
1062++ fatal("Failed to get systemd socket fds: %s", strerror(-r));
1063++
1064++ systemd_num_listen_fds = r;
1065++ rexec_flag = 0;
1066++#endif
1067++
1068+ if (rexeced_flag || inetd_flag)
1069+ rexec_flag = 0;
1070+ if (!test_flag && !do_dump_cfg && rexec_flag && !path_absolute(av[0]))
1071diff --git a/debian/patches/test-set-UsePAM-no-on-some-tests.patch b/debian/patches/test-set-UsePAM-no-on-some-tests.patch
1072new file mode 100644
1073index 0000000..207f495
1074--- /dev/null
1075+++ b/debian/patches/test-set-UsePAM-no-on-some-tests.patch
1076@@ -0,0 +1,41 @@
1077+Description: Set UsePAM=no for regress/putty-*.sh
1078+ Currently these tests fails in the autopkgtest infrastructure due to pam_loginuid.so
1079+ failures. These failures cannot currently be replicated locally. Workaround this
1080+ by setting UsePAM=no for the failing tests since their functionality is not tesing
1081+ PAM.
1082+Author: Nick Rosbrook <nick.rosbrook@canonical.com>
1083+Forwarded: no
1084+Last-Update: 2023-05-25
1085+--- a/regress/putty-ciphers.sh
1086++++ b/regress/putty-ciphers.sh
1087+@@ -14,6 +14,8 @@
1088+ echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
1089+ fi
1090+
1091++sed -i "s/UsePAM.*/UsePAM no/" ${OBJ}/sshd_proxy
1092++
1093+ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
1094+ verbose "$tid: cipher $c"
1095+ cp ${OBJ}/.putty/sessions/localhost_proxy \
1096+--- a/regress/putty-kex.sh
1097++++ b/regress/putty-kex.sh
1098+@@ -14,6 +14,8 @@
1099+ echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
1100+ fi
1101+
1102++sed -i "s/UsePAM.*/UsePAM no/" ${OBJ}/sshd_proxy
1103++
1104+ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
1105+ verbose "$tid: kex $k"
1106+ cp ${OBJ}/.putty/sessions/localhost_proxy \
1107+--- a/regress/putty-transfer.sh
1108++++ b/regress/putty-transfer.sh
1109+@@ -14,6 +14,8 @@
1110+ echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
1111+ fi
1112+
1113++sed -i "s/UsePAM.*/UsePAM no/" ${OBJ}/sshd_proxy
1114++
1115+ if [ "`${SSH} -Q compression`" = "none" ]; then
1116+ comp="0"
1117+ else
1118diff --git a/debian/po/cs.po b/debian/po/cs.po
1119index d01e0ff..21b4c7b 100644
1120--- a/debian/po/cs.po
1121+++ b/debian/po/cs.po
1122@@ -7,7 +7,7 @@ msgid ""
1123 msgstr ""
1124 "Project-Id-Version: openssh 1:6.6p1-1\n"
1125 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1126-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1127+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1128 "PO-Revision-Date: 2014-06-12 12:25+0200\n"
1129 "Last-Translator: Michal Simunek <michal.simunek@gmail.com>\n"
1130 "Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n"
1131@@ -53,3 +53,28 @@ msgstr ""
1132 "poškodit systémy, které jsou nastaveny s předpokladem, že bude možné se "
1133 "přihlašovat přes SSH jako root pomocí ověřování heslem. Změnu této volby "
1134 "byste měli provést pouze pokud ověřování heslem potřebujete."
1135+
1136+#. Type: error
1137+#. Description
1138+#: ../openssh-server.templates:3001
1139+msgid "Not migrating to socket activation"
1140+msgstr ""
1141+
1142+#. Type: error
1143+#. Description
1144+#: ../openssh-server.templates:3001
1145+msgid ""
1146+"This version of openssh-server uses socket-based activation by default. "
1147+"However, because you have more than one ListenAddress configured in "
1148+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1149+"to socket-based activation would cause the starting of sshd at boot to be "
1150+"unreliable."
1151+msgstr ""
1152+
1153+#. Type: error
1154+#. Description
1155+#: ../openssh-server.templates:3001
1156+msgid ""
1157+"Because a failure to start ssh may make it impossible to admininister a "
1158+"system, you will not be migrated to socket-based activation at this time."
1159+msgstr ""
1160diff --git a/debian/po/da.po b/debian/po/da.po
1161index 70d576d..a08ca3b 100644
1162--- a/debian/po/da.po
1163+++ b/debian/po/da.po
1164@@ -7,7 +7,7 @@ msgid ""
1165 msgstr ""
1166 "Project-Id-Version: openssh\n"
1167 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1168-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1169+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1170 "PO-Revision-Date: 2014-03-21 23:51+0200\n"
1171 "Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
1172 "Language-Team: Danish <debian-l10n-danish@lists.debian.org>\n"
1173@@ -53,3 +53,28 @@ msgstr ""
1174 "Det kan dog ødelægge systemer, som er opsat med forventning om at kunne SSH "
1175 "som root via brug af adgangskodegodkendelse. Du skal kun lave denne ændring, "
1176 "hvis du ikke har brug for dette."
1177+
1178+#. Type: error
1179+#. Description
1180+#: ../openssh-server.templates:3001
1181+msgid "Not migrating to socket activation"
1182+msgstr ""
1183+
1184+#. Type: error
1185+#. Description
1186+#: ../openssh-server.templates:3001
1187+msgid ""
1188+"This version of openssh-server uses socket-based activation by default. "
1189+"However, because you have more than one ListenAddress configured in "
1190+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1191+"to socket-based activation would cause the starting of sshd at boot to be "
1192+"unreliable."
1193+msgstr ""
1194+
1195+#. Type: error
1196+#. Description
1197+#: ../openssh-server.templates:3001
1198+msgid ""
1199+"Because a failure to start ssh may make it impossible to admininister a "
1200+"system, you will not be migrated to socket-based activation at this time."
1201+msgstr ""
1202diff --git a/debian/po/de.po b/debian/po/de.po
1203index ecba54b..2536ea4 100644
1204--- a/debian/po/de.po
1205+++ b/debian/po/de.po
1206@@ -8,7 +8,7 @@ msgid ""
1207 msgstr ""
1208 "Project-Id-Version: openssh_1:6.6p1-1\n"
1209 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1210-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1211+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1212 "PO-Revision-Date: 2014-03-24 22:21+0100\n"
1213 "Last-Translator: Stephan Beck <sbeck@mailbox.org>\n"
1214 "Language-Team: Debian German translation team <debian-l10n-german@lists."
1215@@ -59,3 +59,28 @@ msgstr ""
1216 "in der Absicht konfiguriert wurden, die Anmeldung als »root« über SSH unter "
1217 "Verwendung von Passwort-Authentifizierung zuzulassen. Sie sollten diese "
1218 "Änderung nur vornehmen, wenn Sie auf Letzteres verzichten können."
1219+
1220+#. Type: error
1221+#. Description
1222+#: ../openssh-server.templates:3001
1223+msgid "Not migrating to socket activation"
1224+msgstr ""
1225+
1226+#. Type: error
1227+#. Description
1228+#: ../openssh-server.templates:3001
1229+msgid ""
1230+"This version of openssh-server uses socket-based activation by default. "
1231+"However, because you have more than one ListenAddress configured in "
1232+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1233+"to socket-based activation would cause the starting of sshd at boot to be "
1234+"unreliable."
1235+msgstr ""
1236+
1237+#. Type: error
1238+#. Description
1239+#: ../openssh-server.templates:3001
1240+msgid ""
1241+"Because a failure to start ssh may make it impossible to admininister a "
1242+"system, you will not be migrated to socket-based activation at this time."
1243+msgstr ""
1244diff --git a/debian/po/es.po b/debian/po/es.po
1245index de8a67a..14550d6 100644
1246--- a/debian/po/es.po
1247+++ b/debian/po/es.po
1248@@ -28,7 +28,7 @@ msgid ""
1249 msgstr ""
1250 "Project-Id-Version: openssh\n"
1251 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1252-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1253+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1254 "PO-Revision-Date: 2014-03-23 20:43-0300\n"
1255 "Last-Translator: Matías Bellone <matiasbellone+debian@gmail.com>\n"
1256 "Language-Team: Debian l10n Spanish <debian-l10n-spanish@lists.debian.org>\n"
1257@@ -78,3 +78,28 @@ msgstr ""
1258 "configuración permite que el usuario root inicie sesión a través de SSH "
1259 "utilizando una contraseña. Sólo debería realizar este cambio si no necesita "
1260 "este comportamiento."
1261+
1262+#. Type: error
1263+#. Description
1264+#: ../openssh-server.templates:3001
1265+msgid "Not migrating to socket activation"
1266+msgstr ""
1267+
1268+#. Type: error
1269+#. Description
1270+#: ../openssh-server.templates:3001
1271+msgid ""
1272+"This version of openssh-server uses socket-based activation by default. "
1273+"However, because you have more than one ListenAddress configured in "
1274+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1275+"to socket-based activation would cause the starting of sshd at boot to be "
1276+"unreliable."
1277+msgstr ""
1278+
1279+#. Type: error
1280+#. Description
1281+#: ../openssh-server.templates:3001
1282+msgid ""
1283+"Because a failure to start ssh may make it impossible to admininister a "
1284+"system, you will not be migrated to socket-based activation at this time."
1285+msgstr ""
1286diff --git a/debian/po/fr.po b/debian/po/fr.po
1287index f7125e9..7d7093b 100644
1288--- a/debian/po/fr.po
1289+++ b/debian/po/fr.po
1290@@ -7,7 +7,7 @@ msgid ""
1291 msgstr ""
1292 "Project-Id-Version: openssh_1:6.5p1-6\n"
1293 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1294-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1295+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1296 "PO-Revision-Date: 2014-03-22 08:26+0100\n"
1297 "Last-Translator: Étienne Gilli <etienne.gilli@gmail.com>\n"
1298 "Language-Team: French <debian-l10n-french@lists.debian.org>\n"
1299@@ -57,3 +57,28 @@ msgstr ""
1300 "inutilisables les systèmes reposant sur la possibilité de se connecter au "
1301 "compte « root » par SSH avec authentification par mot de passe. Vous ne "
1302 "devriez appliquer cette modification que si ce n’est pas votre cas."
1303+
1304+#. Type: error
1305+#. Description
1306+#: ../openssh-server.templates:3001
1307+msgid "Not migrating to socket activation"
1308+msgstr ""
1309+
1310+#. Type: error
1311+#. Description
1312+#: ../openssh-server.templates:3001
1313+msgid ""
1314+"This version of openssh-server uses socket-based activation by default. "
1315+"However, because you have more than one ListenAddress configured in "
1316+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1317+"to socket-based activation would cause the starting of sshd at boot to be "
1318+"unreliable."
1319+msgstr ""
1320+
1321+#. Type: error
1322+#. Description
1323+#: ../openssh-server.templates:3001
1324+msgid ""
1325+"Because a failure to start ssh may make it impossible to admininister a "
1326+"system, you will not be migrated to socket-based activation at this time."
1327+msgstr ""
1328diff --git a/debian/po/it.po b/debian/po/it.po
1329index dd71060..5390795 100644
1330--- a/debian/po/it.po
1331+++ b/debian/po/it.po
1332@@ -6,7 +6,7 @@ msgid ""
1333 msgstr ""
1334 "Project-Id-Version: openssh\n"
1335 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1336-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1337+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1338 "PO-Revision-Date: 2014-03-28 11:12+0200\n"
1339 "Last-Translator: Beatrice Torracca <beatricet@libero.it>\n"
1340 "Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n"
1341@@ -56,3 +56,28 @@ msgstr ""
1342 "impostati facendo affidamento sulla possibilità di autenticazione SSH come "
1343 "root usando la password. Si dovrebbe fare questo cambiamento solo se non si "
1344 "ha bisogno di tale comportamento."
1345+
1346+#. Type: error
1347+#. Description
1348+#: ../openssh-server.templates:3001
1349+msgid "Not migrating to socket activation"
1350+msgstr ""
1351+
1352+#. Type: error
1353+#. Description
1354+#: ../openssh-server.templates:3001
1355+msgid ""
1356+"This version of openssh-server uses socket-based activation by default. "
1357+"However, because you have more than one ListenAddress configured in "
1358+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1359+"to socket-based activation would cause the starting of sshd at boot to be "
1360+"unreliable."
1361+msgstr ""
1362+
1363+#. Type: error
1364+#. Description
1365+#: ../openssh-server.templates:3001
1366+msgid ""
1367+"Because a failure to start ssh may make it impossible to admininister a "
1368+"system, you will not be migrated to socket-based activation at this time."
1369+msgstr ""
1370diff --git a/debian/po/ja.po b/debian/po/ja.po
1371index db382f1..b48d281 100644
1372--- a/debian/po/ja.po
1373+++ b/debian/po/ja.po
1374@@ -7,7 +7,7 @@ msgid ""
1375 msgstr ""
1376 "Project-Id-Version: openssh\n"
1377 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1378-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1379+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1380 "PO-Revision-Date: 2014-03-20 11:06+0900\n"
1381 "Last-Translator: victory <victory.deb@gmail.com>\n"
1382 "Language-Team: Japanese <debian-japanese@lists.debian.org>\n"
1383@@ -53,3 +53,28 @@ msgstr ""
1384 "ます。しかしパスワード認証により root で SSH 接続できることを前提として構成し"
1385 "たシステムでは問題が発生する可能性があります。そういった必要のない場合にのみ"
1386 "この変更を行うようにしてください。"
1387+
1388+#. Type: error
1389+#. Description
1390+#: ../openssh-server.templates:3001
1391+msgid "Not migrating to socket activation"
1392+msgstr ""
1393+
1394+#. Type: error
1395+#. Description
1396+#: ../openssh-server.templates:3001
1397+msgid ""
1398+"This version of openssh-server uses socket-based activation by default. "
1399+"However, because you have more than one ListenAddress configured in "
1400+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1401+"to socket-based activation would cause the starting of sshd at boot to be "
1402+"unreliable."
1403+msgstr ""
1404+
1405+#. Type: error
1406+#. Description
1407+#: ../openssh-server.templates:3001
1408+msgid ""
1409+"Because a failure to start ssh may make it impossible to admininister a "
1410+"system, you will not be migrated to socket-based activation at this time."
1411+msgstr ""
1412diff --git a/debian/po/nl.po b/debian/po/nl.po
1413index 3afd617..eca9662 100644
1414--- a/debian/po/nl.po
1415+++ b/debian/po/nl.po
1416@@ -7,7 +7,7 @@ msgid ""
1417 msgstr ""
1418 "Project-Id-Version: openssh\n"
1419 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1420-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1421+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1422 "PO-Revision-Date: 2014-10-03 23:54+0200\n"
1423 "Last-Translator: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>\n"
1424 "Language-Team: Debian Dutch l10n Team <debian-l10n-dutch@lists.debian.org>\n"
1425@@ -58,3 +58,28 @@ msgstr ""
1426 "ingesteld werden vanuit de verwachting dat de systeembeheerder SSH kan "
1427 "gebruiken met authenticatie via wachtwoord. Enkel wanneer u dit laatste niet "
1428 "nodig heeft, zou u deze wijziging kunnen doorvoeren."
1429+
1430+#. Type: error
1431+#. Description
1432+#: ../openssh-server.templates:3001
1433+msgid "Not migrating to socket activation"
1434+msgstr ""
1435+
1436+#. Type: error
1437+#. Description
1438+#: ../openssh-server.templates:3001
1439+msgid ""
1440+"This version of openssh-server uses socket-based activation by default. "
1441+"However, because you have more than one ListenAddress configured in "
1442+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1443+"to socket-based activation would cause the starting of sshd at boot to be "
1444+"unreliable."
1445+msgstr ""
1446+
1447+#. Type: error
1448+#. Description
1449+#: ../openssh-server.templates:3001
1450+msgid ""
1451+"Because a failure to start ssh may make it impossible to admininister a "
1452+"system, you will not be migrated to socket-based activation at this time."
1453+msgstr ""
1454diff --git a/debian/po/pt.po b/debian/po/pt.po
1455index 2dab84c..8f51af9 100644
1456--- a/debian/po/pt.po
1457+++ b/debian/po/pt.po
1458@@ -7,7 +7,7 @@ msgid ""
1459 msgstr ""
1460 "Project-Id-Version: openssh 1:6.6p1-1\n"
1461 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1462-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1463+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1464 "PO-Revision-Date: 2014-03-21 21:13+0000\n"
1465 "Last-Translator: Américo Monteiro <a_monteiro@gmx.com>\n"
1466 "Language-Team: Portuguese <traduz@debianpt.org>\n"
1467@@ -57,3 +57,28 @@ msgstr ""
1468 "configurados com a expectativa de serem capazes de SSH como root usando "
1469 "autenticação por palavra-passe. Apenas deverá fazer esta alteração se não "
1470 "precisa de tal método de autenticação."
1471+
1472+#. Type: error
1473+#. Description
1474+#: ../openssh-server.templates:3001
1475+msgid "Not migrating to socket activation"
1476+msgstr ""
1477+
1478+#. Type: error
1479+#. Description
1480+#: ../openssh-server.templates:3001
1481+msgid ""
1482+"This version of openssh-server uses socket-based activation by default. "
1483+"However, because you have more than one ListenAddress configured in "
1484+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1485+"to socket-based activation would cause the starting of sshd at boot to be "
1486+"unreliable."
1487+msgstr ""
1488+
1489+#. Type: error
1490+#. Description
1491+#: ../openssh-server.templates:3001
1492+msgid ""
1493+"Because a failure to start ssh may make it impossible to admininister a "
1494+"system, you will not be migrated to socket-based activation at this time."
1495+msgstr ""
1496diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po
1497index 99b1182..98856bb 100644
1498--- a/debian/po/pt_BR.po
1499+++ b/debian/po/pt_BR.po
1500@@ -8,7 +8,7 @@ msgid ""
1501 msgstr ""
1502 "Project-Id-Version: openssh\n"
1503 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1504-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1505+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1506 "PO-Revision-Date: 2014-11-23 23:49-0200\n"
1507 "Last-Translator: José de Figueiredo <deb.gnulinux@gmail.com>\n"
1508 "Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian."
1509@@ -55,3 +55,28 @@ msgstr ""
1510 "Entretanto, ela pode quebrar sistemas que foram configurados com a "
1511 "expectativa de acesso SSH com root usando autenticação por senha. Você deve "
1512 "fazer esta mudança somente se você não precisa fazer isso."
1513+
1514+#. Type: error
1515+#. Description
1516+#: ../openssh-server.templates:3001
1517+msgid "Not migrating to socket activation"
1518+msgstr ""
1519+
1520+#. Type: error
1521+#. Description
1522+#: ../openssh-server.templates:3001
1523+msgid ""
1524+"This version of openssh-server uses socket-based activation by default. "
1525+"However, because you have more than one ListenAddress configured in "
1526+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1527+"to socket-based activation would cause the starting of sshd at boot to be "
1528+"unreliable."
1529+msgstr ""
1530+
1531+#. Type: error
1532+#. Description
1533+#: ../openssh-server.templates:3001
1534+msgid ""
1535+"Because a failure to start ssh may make it impossible to admininister a "
1536+"system, you will not be migrated to socket-based activation at this time."
1537+msgstr ""
1538diff --git a/debian/po/ru.po b/debian/po/ru.po
1539index f2e1daf..3fa193c 100644
1540--- a/debian/po/ru.po
1541+++ b/debian/po/ru.po
1542@@ -6,7 +6,7 @@ msgid ""
1543 msgstr ""
1544 "Project-Id-Version: openssh 1:6.6p1-1\n"
1545 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1546-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1547+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1548 "PO-Revision-Date: 2014-03-22 10:04+0400\n"
1549 "Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
1550 "Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n"
1551@@ -14,8 +14,8 @@ msgstr ""
1552 "MIME-Version: 1.0\n"
1553 "Content-Type: text/plain; charset=UTF-8\n"
1554 "Content-Transfer-Encoding: 8bit\n"
1555-"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
1556-"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
1557+"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && "
1558+"n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
1559 "X-Generator: Lokalize 1.4\n"
1560
1561 #. Type: boolean
1562@@ -55,3 +55,28 @@ msgstr ""
1563 "атак). Однако, это вредит системам, в которых специально настроен вход для "
1564 "root по SSH с парольной аутентификацией. Если это не ваш случай, то ответьте "
1565 "утвердительно."
1566+
1567+#. Type: error
1568+#. Description
1569+#: ../openssh-server.templates:3001
1570+msgid "Not migrating to socket activation"
1571+msgstr ""
1572+
1573+#. Type: error
1574+#. Description
1575+#: ../openssh-server.templates:3001
1576+msgid ""
1577+"This version of openssh-server uses socket-based activation by default. "
1578+"However, because you have more than one ListenAddress configured in "
1579+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1580+"to socket-based activation would cause the starting of sshd at boot to be "
1581+"unreliable."
1582+msgstr ""
1583+
1584+#. Type: error
1585+#. Description
1586+#: ../openssh-server.templates:3001
1587+msgid ""
1588+"Because a failure to start ssh may make it impossible to admininister a "
1589+"system, you will not be migrated to socket-based activation at this time."
1590+msgstr ""
1591diff --git a/debian/po/sv.po b/debian/po/sv.po
1592index 278b0cc..296e611 100644
1593--- a/debian/po/sv.po
1594+++ b/debian/po/sv.po
1595@@ -8,7 +8,7 @@ msgid ""
1596 msgstr ""
1597 "Project-Id-Version: openssh\n"
1598 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1599-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1600+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1601 "PO-Revision-Date: 2014-03-21 21:36+0100\n"
1602 "Last-Translator: Andreas Rönnquist <gusnan@gusnan.se>\n"
1603 "Language-Team: Swedish\n"
1604@@ -56,3 +56,28 @@ msgstr ""
1605 "sådana angrepp). Dock så kan detta förstöra system som förväntas kunna "
1606 "använda SSH som root med hjälp av lösenordsautentisering. Du skall endast "
1607 "göra denna förändring om du inte har ett behov av att kunna göra detta."
1608+
1609+#. Type: error
1610+#. Description
1611+#: ../openssh-server.templates:3001
1612+msgid "Not migrating to socket activation"
1613+msgstr ""
1614+
1615+#. Type: error
1616+#. Description
1617+#: ../openssh-server.templates:3001
1618+msgid ""
1619+"This version of openssh-server uses socket-based activation by default. "
1620+"However, because you have more than one ListenAddress configured in "
1621+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1622+"to socket-based activation would cause the starting of sshd at boot to be "
1623+"unreliable."
1624+msgstr ""
1625+
1626+#. Type: error
1627+#. Description
1628+#: ../openssh-server.templates:3001
1629+msgid ""
1630+"Because a failure to start ssh may make it impossible to admininister a "
1631+"system, you will not be migrated to socket-based activation at this time."
1632+msgstr ""
1633diff --git a/debian/po/templates.pot b/debian/po/templates.pot
1634index 47c9e36..c9dc5ba 100644
1635--- a/debian/po/templates.pot
1636+++ b/debian/po/templates.pot
1637@@ -1,6 +1,6 @@
1638 # SOME DESCRIPTIVE TITLE.
1639 # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
1640-# This file is distributed under the same license as the PACKAGE package.
1641+# This file is distributed under the same license as the openssh package.
1642 # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
1643 #
1644 #, fuzzy
1645@@ -8,7 +8,7 @@ msgid ""
1646 msgstr ""
1647 "Project-Id-Version: openssh\n"
1648 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1649-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1650+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1651 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
1652 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
1653 "Language-Team: LANGUAGE <LL@li.org>\n"
1654@@ -44,3 +44,28 @@ msgid ""
1655 "able to SSH as root using password authentication. You should only make this "
1656 "change if you do not need to do that."
1657 msgstr ""
1658+
1659+#. Type: error
1660+#. Description
1661+#: ../openssh-server.templates:3001
1662+msgid "Not migrating to socket activation"
1663+msgstr ""
1664+
1665+#. Type: error
1666+#. Description
1667+#: ../openssh-server.templates:3001
1668+msgid ""
1669+"This version of openssh-server uses socket-based activation by default. "
1670+"However, because you have more than one ListenAddress configured in "
1671+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1672+"to socket-based activation would cause the starting of sshd at boot to be "
1673+"unreliable."
1674+msgstr ""
1675+
1676+#. Type: error
1677+#. Description
1678+#: ../openssh-server.templates:3001
1679+msgid ""
1680+"Because a failure to start ssh may make it impossible to admininister a "
1681+"system, you will not be migrated to socket-based activation at this time."
1682+msgstr ""
1683diff --git a/debian/po/tr.po b/debian/po/tr.po
1684index 1ada041..fd6bde5 100644
1685--- a/debian/po/tr.po
1686+++ b/debian/po/tr.po
1687@@ -7,15 +7,15 @@ msgid ""
1688 msgstr ""
1689 "Project-Id-Version: openssh-server\n"
1690 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1691-"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1692+"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1693 "PO-Revision-Date: 2014-08-01 14:44+0200\n"
1694 "Last-Translator: Mert Dirik <mertdirik@gmail.com>\n"
1695 "Language-Team: Debian L10n Turkish <debian-l10n-turkish@lists.debian.org>\n"
1696+"Language: tr\n"
1697 "MIME-Version: 1.0\n"
1698 "Content-Type: text/plain; charset=UTF-8\n"
1699 "Content-Transfer-Encoding: 8bit\n"
1700 "X-Generator: Poedit 1.5.4\n"
1701-"Language: tr\n"
1702
1703 #. Type: boolean
1704 #. Description
1705@@ -56,3 +56,28 @@ msgstr ""
1706 "parola doğrulama yöntemiyle oturum açılabileceği varsayımıyla hareket eden "
1707 "sistemlerde eskiden çalışan düzenin bozulmasına sebep olacaktır. Bu "
1708 "değişikliği yalnızca sorun çıkarmayacağından eminseniz yapın."
1709+
1710+#. Type: error
1711+#. Description
1712+#: ../openssh-server.templates:3001
1713+msgid "Not migrating to socket activation"
1714+msgstr ""
1715+
1716+#. Type: error
1717+#. Description
1718+#: ../openssh-server.templates:3001
1719+msgid ""
1720+"This version of openssh-server uses socket-based activation by default. "
1721+"However, because you have more than one ListenAddress configured in "
1722+"sshd_config, it is impossible to determine at upgrade time if migrating you "
1723+"to socket-based activation would cause the starting of sshd at boot to be "
1724+"unreliable."
1725+msgstr ""
1726+
1727+#. Type: error
1728+#. Description
1729+#: ../openssh-server.templates:3001
1730+msgid ""
1731+"Because a failure to start ssh may make it impossible to admininister a "
1732+"system, you will not be migrated to socket-based activation at this time."
1733+msgstr ""
1734diff --git a/debian/rules b/debian/rules
1735index c921ece..dff4713 100755
1736--- a/debian/rules
1737+++ b/debian/rules
1738@@ -189,8 +189,8 @@ override_dh_installinit:
1739 dh_installinit -R --name ssh
1740
1741 override_dh_installsystemd:
1742- dh_installsystemd -popenssh-server ssh.service
1743- dh_installsystemd -popenssh-server --no-enable ssh.socket
1744+ dh_installsystemd -popenssh-server --no-start ssh.socket
1745+ dh_installsystemd -popenssh-server --no-enable --no-start ssh.service
1746 dh_installsystemd -popenssh-server --no-start rescue-ssh.target
1747
1748 debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in
1749diff --git a/debian/systemd/ssh.service b/debian/systemd/ssh.service
1750index 7495d9a..a18105b 100644
1751--- a/debian/systemd/ssh.service
1752+++ b/debian/systemd/ssh.service
1753@@ -14,8 +14,6 @@ KillMode=process
1754 Restart=on-failure
1755 RestartPreventExitStatus=255
1756 Type=notify
1757-RuntimeDirectory=sshd
1758-RuntimeDirectoryMode=0755
1759
1760 [Install]
1761 WantedBy=multi-user.target
1762diff --git a/debian/tests/control b/debian/tests/control
1763index 22d443d..adef04c 100644
1764--- a/debian/tests/control
1765+++ b/debian/tests/control
1766@@ -9,3 +9,9 @@ Depends: devscripts,
1767 python3-twisted,
1768 sudo,
1769 sysvinit-utils,
1770+
1771+Tests: systemd-socket-activation
1772+Restrictions: needs-root allow-stderr
1773+Depends: openssh-client,
1774+ openssh-server,
1775+ systemd,
1776diff --git a/debian/tests/systemd-socket-activation b/debian/tests/systemd-socket-activation
1777new file mode 100644
1778index 0000000..42d4526
1779--- /dev/null
1780+++ b/debian/tests/systemd-socket-activation
1781@@ -0,0 +1,57 @@
1782+#!/bin/bash
1783+
1784+set -euo pipefail
1785+
1786+assert_unit_property() {
1787+ local property="$(echo "$2" | awk -F'=' '{print $1}')"
1788+
1789+ local expect="$2"
1790+ local actual="$(systemctl show -p "$property" "$1")"
1791+
1792+ if [[ "$actual" != "$expect" ]]; then
1793+ echo "Fail: $1: expected $expect, but got $actual"
1794+ return 1
1795+ fi
1796+}
1797+
1798+# Generate RSA key and add it to this user's authorized keys.
1799+ssh-keygen -t rsa -N "" -f "$HOME/.ssh/id_rsa" -q
1800+if [[ -f ~/.ssh/authorized_keys ]]; then
1801+ touch ~/.ssh/authorized_keys
1802+ chmod 0600 ~/.ssh/authorized_keys
1803+fi
1804+cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
1805+
1806+# Make sure ssh.service is not running.
1807+echo "Stopping ssh.service..."
1808+systemctl stop ssh.service 2>/dev/null
1809+
1810+# Check that ssh.socket is active and listening.
1811+echo "Checking that ssh.socket is active and listening..."
1812+assert_unit_property ssh.socket "ActiveState=active"
1813+assert_unit_property ssh.socket "SubState=listening"
1814+
1815+# Check that ssh.service is currently inactive/dead.
1816+echo "Checking that ssh.service is inactive/dead..."
1817+assert_unit_property ssh.service "ActiveState=inactive"
1818+assert_unit_property ssh.service "SubState=dead"
1819+
1820+# Check that a connection attempt successfully activates ssh.service.
1821+echo "Checking that a connection attempt activates ssh.service..."
1822+ssh -oStrictHostKeyChecking=no localhost -- /usr/bin/true
1823+assert_unit_property ssh.service "ActiveState=active"
1824+assert_unit_property ssh.service "SubState=running"
1825+
1826+# Check that we can re-execute sshd via systemctl reload.
1827+echo "Checking that sshd can be re-executed..."
1828+systemctl reload ssh.service
1829+assert_unit_property ssh.service "ActiveState=active"
1830+assert_unit_property ssh.service "SubState=running"
1831+
1832+# Check that we can run sshd in debug mode.
1833+echo "Checking sshd can run in debug mode..."
1834+systemctl stop ssh.service 2>/dev/null
1835+sed -i 's/^SSHD_OPTS=.*/SSHD_OPTS=-ddd/g' /etc/default/ssh
1836+ssh -oStrictHostKeyChecking=no localhost -- /usr/bin/true
1837+
1838+echo "Done."

Subscribers

People subscribed via source and target branches