Ubuntu
openssh package

debian/README.Debian (+10/-17)
debian/changelog (+299/-0)
debian/control (+2/-1)
debian/openssh-server.postinst (+193/-6)
debian/openssh-server.postrm (+4/-0)
debian/openssh-server.templates (+12/-0)
debian/openssh-server.tmpfile (+2/-0)
debian/openssh-server.ucf-md5sum (+24/-0)
debian/patches/series (+2/-0)
debian/patches/socket-activation-documentation.patch (+50/-0)
debian/patches/systemd-socket-activation.patch (+141/-49)
debian/patches/test-set-UsePAM-no-on-some-tests.patch (+41/-0)
debian/po/cs.po (+26/-1)
debian/po/da.po (+26/-1)
debian/po/de.po (+26/-1)
debian/po/es.po (+26/-1)
debian/po/fr.po (+26/-1)
debian/po/it.po (+26/-1)
debian/po/ja.po (+26/-1)
debian/po/nl.po (+26/-1)
debian/po/pt.po (+26/-1)
debian/po/pt_BR.po (+26/-1)
debian/po/ru.po (+28/-3)
debian/po/sv.po (+26/-1)
debian/po/templates.pot (+27/-2)
debian/po/tr.po (+27/-2)
debian/rules (+2/-2)
debian/systemd/ssh.service (+0/-2)
debian/tests/control (+6/-0)
debian/tests/systemd-socket-activation (+57/-0)
dev/null (+0/-17)

Undecided

Fix Released

Link a bug report

Reviewer	Date Requested	Status
git-ubuntu bot		Approve on 2024-01-30
Nick Rosbrook (community)		Approve on 2024-01-30
Ubuntu Sponsors	2024-01-24	Pending
Canonical Server Reporter	2024-01-24	Pending
Review via email: mp+459366@code.launchpad.net

Description of the change

Hi team,

PPA for this merge is (the builds are OK there for all archs):

ppa:mirespace/merge-openssh-9.6p1-3-noble-lp2040406
https://launchpad.net/~mirespace/+archive/ubuntu/merge-openssh-9.6p1-3-noble-lp2040406

Usual tags are there:

❯ git tag | grep mirespace
mirespace/logical/1%9.4p1-1ubuntu2
mirespace/new/debian
mirespace/old/debian
mirespace/old/ubuntu
mirespace/reconstruct/1%9.4p1-1ubuntu2
mirespace/split/1%9.4p1-1ubuntu2

Test passed, except for i386 (but it has the same problem since focal):

* Results:
  - openssh/1:9.6p1-3ubuntu1
    + ✅ openssh on noble for amd64 @ 24.01.24 12:55:50 Log️ 🗒️
    + ✅ openssh on noble for amd64 @ 24.01.24 13:00:46 Log️ 🗒️
    + ✅ openssh on noble for amd64 @ 24.01.24 13:03:13 Log️ 🗒️
    + ✅ openssh on noble for arm64 @ 24.01.24 13:43:16 Log️ 🗒️
    + ✅ openssh on noble for arm64 @ 24.01.24 14:12:20 Log️ 🗒️
    + ✅ openssh on noble for armhf @ 24.01.24 13:08:54 Log️ 🗒️
    + ❌ openssh on noble for i386 @ 24.01.24 12:38:10 Log️ 🗒️
      • regress FAIL 🟥
      • systemd-socket-activation PASS 🟩
    + ❌ openssh on noble for i386 @ 24.01.24 12:41:43 Log️ 🗒️
      • regress FAIL 🟥
      • systemd-socket-activation PASS 🟩
    + ✅ openssh on noble for ppc64el @ 24.01.24 12:48:35 Log️ 🗒️
    + ✅ openssh on noble for s390x @ 24.01.24 12:54:23 Log️ 🗒️
* Running: (none)

https://autopkgtest.ubuntu.com/results/autopkgtest-noble-mirespace-merge-openssh-9.6p1-3-noble-lp2040406/?format=plain

Upgrade from previous package well went too:

root@Nopenssh-merge:~# apt list --upgradable
Listing... Done
openssh-client/noble 1:9.6p1-3ubuntu1 amd64 [upgradable from: 1:9.4p1-1ubuntu1]
openssh-server/noble 1:9.6p1-3ubuntu1 amd64 [upgradable from: 1:9.4p1-1ubuntu1]
openssh-sftp-server/noble 1:9.6p1-3ubuntu1 amd64 [upgradable from: 1:9.4p1-1ubuntu1]

root@Nopenssh-merge:~# dpkg -l | grep openssh
ii openssh-client 1:9.6p1-3ubuntu1 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:9.6p1-3ubuntu1 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:9.6p1-3ubuntu1 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
root@Nopenssh-merge:~#

and ssh.server status is the same that in previus package version:

root@Nopenssh-merge:~# systemctl status ssh.service
○ ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; disabled; preset: enabled)
    Drop-In: /etc/systemd/system/ssh.service.d
             └─00-socket.conf
     Active: inactive (dead)
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)

Regarding to this, I have doubts about the change in d/rules, in override_dh_installsystemd, about shh.socket activation for the openssh-server unit service: we have two commits that touch this (and conflicts), one from upstream:

https://salsa.debian.org/ssh-team/openssh/-/commit/da06b7ef32c20de4dd18cd578025d96a9221984b

and one from us:

https://git.launchpad.net/ubuntu/+source/openssh/commit/debian/rules?h=ubuntu/noble-devel&id=693deb935fd5042bbde98d6ee9344f4800612eef

Upstream commit fix LP: #2047082 and I didn’t find a clear motivation for our commit between our bugs, except this discussion:

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1991592

I finally decided to take upstream changes, but this is open for discussion and redone if necessary.

About other bugs that can be fixed with this merge, we have a fix from upstream with this merge for bug 2047082 and bug 2049552. As a low priority bug, maybe the bug 2037703 can be considered to be included here, adding the info in the README.Debian file.

P.S. I'm uploading the packages again for some cosmetic changes in the changelog.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2024-01-24:

We switched to socket-based activation in kinetic, as documented in README.Debian. I believe you're now switching back to service-based activation, which we definitely shoudn't do without discussion (and also without changing the README.Debian and other documentation to accurately reflect the default).

Revision history for this message

Miriam España Acebal (mirespace) wrote on 2024-01-24:

Hi Marc,

Thanks for the clarification. My intention in opening the MP was precisely this. I looked for the changelog entry for that commit change [1], which is

- debian/rules: modify dh_installsystemd invocations for
socket-activated sshd.

and I found it since Mantic.

Looking for other related commits changes, I saw the one [2] for README.Debian that states "By default, socket-based activation is used on systems that use systemd." and clarify how to disable it, that correspond to the entry changelog

* debian/README.Debian: document systemd socket activation.

and that one is from Kinetic, yes... so I wasn't sure if the latest change [1] was a modification/improvement/fix/other reason over the socket-based activation.

I will revisit both conflict commits ([1] and [3]) again.

[1] https://git.launchpad.net/ubuntu/+source/openssh/commit/debian/rules?h=ubuntu/noble-devel&id=693deb935fd5042bbde98d6ee9344f4800612eef
[2] https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=ubuntu/noble-devel&id=4c439a9749b427e9dfa8a0f02579b1764550300a
[3] https://salsa.debian.org/ssh-team/openssh/-/commit/da06b7ef32c20de4dd18cd578025d96a9221984b

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2024-01-25:

This is where it was switched to socket-based activation:

openssh (1:9.0p1-1ubuntu1) kinetic; urgency=medium

  * debian/patches/systemd-socket-activation.patch: support systemd
    socket activation.
  * debian/systemd/ssh.socket, debian/systemd/ssh.service: use socket
    activation by default.
  * debian/rules: rejigger dh_installsystemd invocations so ssh.service and
    ssh.socket don't fight.
  * debian/openssh-server.postinst: handle migration of sshd_config options
    to systemd socket options on upgrade.
  * debian/README.Debian: document systemd socket activation.
  * debian/patches/socket-activation-documentation.patch: Document in
    sshd_config(5) that ListenAddress and Port no longer work.
  * debian/openssh-server.templates, debian/openssh-server.postinst: include
    debconf warning about possible service failure with multiple
    ListenAddress settings.

-- Steve Langasek <email address hidden> Fri, 19 Aug 2022 20:43:16 +0000

Revision history for this message

Nick Rosbrook (enr0n) wrote on 2024-01-25:

This change needs to be restored:

- debian/rules: modify dh_installsystemd invocations for
socket-activated sshd.

The conflict with the upstream change is actually very straight forward; just take their invocations for rescue-ssh.target, and keeps ours for ssh.{service,socket}. I.e., our delta with Debian against debian/rules would now look like:

diff --git a/debian/rules b/debian/rules
index c921ece2..dff47135 100755
--- a/debian/rules
+++ b/debian/rules
@@ -189,8 +189,8 @@ override_dh_installinit:
dh_installinit -R --name ssh

override_dh_installsystemd:
- dh_installsystemd -popenssh-server ssh.service
- dh_installsystemd -popenssh-server --no-enable ssh.socket
+ dh_installsystemd -popenssh-server --no-start ssh.socket
+ dh_installsystemd -popenssh-server --no-enable --no-start ssh.service
dh_installsystemd -popenssh-server --no-start rescue-ssh.target

debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in

review: Needs Fixing

Revision history for this message

Miriam España Acebal (mirespace) wrote on 2024-01-26:

Thanks Marc, Nick,

The commit's comment guided me and I didn't identify it elsewhere.

I made the change proposed in Nick's comment... I didn't realize the target units were different per change, and I thought it was a mixture that could impact behaviour and that's what I want to bring here to discussion/guidance (I'm sorry if my intention could be misinterpreted as a unilateral change of something)... that is what I understand an MP is for.

I've re-uploaded the package to the ppa. I'll trigger the tests when the packages are published.

Thanks to both of you again.

Revision history for this message

Nick Rosbrook (enr0n) wrote on 2024-01-26:

I didn't take this as a unilateral change at all, and I agree the MP is an appropriate place to discuss this! I apologize if my review came across the wrong way.

However, the change still doesn't look quite right to me. Looking at your commits, I see changes to d/rules in 1faaf8b6aa and 46ad7bf628. And, the overall debian/rules diff between your branch and pkg/debian/sid shows that we did not keep Debian's rescue-ssh.target change:

nr@six:/t/t/openssh$ git diff pkg/debian/sid mirespace/merge-lp2040406-noble -- debian/rules
diff --git a/debian/rules b/debian/rules
index c921ece2..6b3b6ea5 100755
--- a/debian/rules
+++ b/debian/rules
@@ -189,9 +189,9 @@ override_dh_installinit:
dh_installinit -R --name ssh

override_dh_installsystemd:
- dh_installsystemd -popenssh-server ssh.service
- dh_installsystemd -popenssh-server --no-enable ssh.socket
- dh_installsystemd -popenssh-server --no-start rescue-ssh.target
+ dh_installsystemd -popenssh-server --no-start ssh.socket
+ dh_installsystemd -popenssh-server --no-enable --no-start ssh.service
+ dh_installsystemd -popenssh-server rescue-ssh.target

debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in
ifeq ($(DEB_HOST_ARCH_OS),linux)

review: Needs Fixing

~mirespace/ubuntu/+source/openssh:merge-lp2040406-noble updated on 2024-01-29

d3f7e60... by Miriam España Acebal on 2024-01-29: merge-changelogs
6937802... by Miriam España Acebal on 2024-01-29: reconstruct-changelog
8256039... by Miriam España Acebal on 2024-01-29: update-maintainer
2543615... by Miriam España Acebal on 2024-01-29: changelog 1:9.6p1-3ubuntu1

Revision history for this message

Miriam España Acebal (mirespace) wrote on 2024-01-29 (last edit on 2024-01-30):

Hi Nick,

All good... thanks a lot!

I've redone the merge (crossing fingers this time!) from the beginning. I checked the diff in debian/rules, and maybe this time, it is the correct one:

$ git diff debian/sid..merge-lp2040406-noble -- debian/rules

diff --git a/debian/rules b/debian/rules
index c921ece2..dff47135 100755
--- a/debian/rules
+++ b/debian/rules
@@ -189,8 +189,8 @@ override_dh_installinit:
dh_installinit -R --name ssh

debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in

Uploading to the PPA... I'll trigger the test once the package is published.

Thanks again for your review and your time on this.

Revision history for this message

Miriam España Acebal (mirespace) wrote on 2024-01-29:

Test passed (except the already known for i386):

+ ✅ openssh on noble for amd64 @ 29.01.24 19:15:24 Log️ 🗒️
    + ✅ openssh on noble for arm64 @ 29.01.24 20:21:00 Log️ 🗒️
    + ✅ openssh on noble for armhf @ 29.01.24 20:27:27 Log️ 🗒️
    + ❌ openssh on noble for i386 @ 29.01.24 19:16:35 Log️ 🗒️
      • regress FAIL 🟥
      • systemd-socket-activation PASS 🟩
    + ✅ openssh on noble for ppc64el @ 29.01.24 20:00:17 Log️ 🗒️
    + ✅ openssh on noble for s390x @ 29.01.24 20:05:43 Log️ 🗒️

https://autopkgtest.ubuntu.com/results/autopkgtest-noble-mirespace-merge-openssh-9.6p1-3-noble-lp2040406/

i.e.: noble/<arch>/o/openssh/20240129_*@/log.gz

Revision history for this message

Nick Rosbrook (enr0n) wrote on 2024-01-30:

Thanks, Miriam! LGTM. Uploading to noble.

review: Approve

Revision history for this message

git-ubuntu bot (git-ubuntu-bot) wrote on 2024-01-30:

Approvers: enr0n, mirespace
Uploaders: enr0n
MP auto-approved

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Miriam España Acebal

git-ubuntu developers

 diff --git a/debian/.gitignore b/debian/.gitignore
 deleted file mode 100644
 index 988323b..0000000
 --- a/debian/.gitignore
 +++ /dev/null
@@ -1,17 +0,0 @@
--/*.debhelper*
--/*substvars
--/build-deb
--/build-udeb
--/files
--/keygen-test/key1
--/keygen-test/key1.pub
--/keygen-test/key2
--/keygen-test/key2.pub
--/openssh-client
--/openssh-client-udeb
--/openssh-server
--/openssh-server-udeb
--/ssh
--/ssh-askpass-gnome
--/ssh-krb5
--/tmp
 diff --git a/debian/README.Debian b/debian/README.Debian
 index 6aab9cb..8067852 100644
 --- a/debian/README.Debian
 +++ b/debian/README.Debian
@@ -184,23 +184,7 @@ this sshd manually on upgrades.
  Socket-based activation with systemd
  ------------------------------------
--If you want to reconfigure systemd to listen on port 22 itself and launch
--sshd on connection (systemd-style socket activation), then you can run:
--
--  systemctl disable --now ssh.service
--  systemctl start ssh.socket
--
--To roll back this change, run:
--
--  systemctl stop ssh.socket
--  systemctl enable --now ssh.service
--
--Or if you want to make this change permanent:
--
--  systemctl enable ssh.socket
--
--This may be appropriate in environments where minimal footprint is critical
--(e.g. cloud guests).
++By default, socket-based activation is used on systems that use systemd.
  The provided ssh.socket unit file sets ListenStream=22.  If you need to have
  it listen on a different address or port, then you will need to do this as
@@ -216,6 +200,15 @@ follows (modifying ListenStream to match your requirements):
  See systemd.socket(5) for details.
++If you do not want to use socket activation for ssh on your system, you
++can disable socket activation by running:
++
++  systemctl disable --now ssh.socket
++  rm -f /etc/systemd/system/ssh.service.d/00-socket.conf
++  rm -f /etc/systemd/system/ssh.socket.d/addresses.conf
++  systemctl daemon-reload
++  systemctl enable --now ssh.service
++
  Terminating SSH sessions cleanly on shutdown/reboot with systemd
  ----------------------------------------------------------------
 diff --git a/debian/changelog b/debian/changelog
 index b547ae8..8f84740 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,36 @@
++openssh (1:9.6p1-3ubuntu1) noble; urgency=medium
++
++  * Merge with Debian unstable (LP: #2040406). Remaining changes:
++    - debian/rules: modify dh_installsystemd invocations for
++      socket-activated sshd.
++    - debian/openssh-server.postinst: handle migration of sshd_config
++      options to systemd socket options on upgrade.
++    - debian/README.Debian: document systemd socket activation.
++    - debian/patches/socket-activation-documentation.patch: Document
++      in sshd_config(5) that ListenAddress and Port no longer work.
++    - debian/openssh-server.templates: include debconf prompt
++      explaining when migration cannot happen due to multiple
++      ListenAddress values.
++    - debian/.gitignore: drop file.
++    - debian/openssh-server.postrm: remove systemd drop-ins for
++      socket-activated sshd on purge.
++    - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
++    - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
++      /run/sshd creation out of the systemd unit to a tmpfile config
++      so that sshd can be run manually if necessary without having to
++      create this directory by hand.
++    - debian/patches/systemd-socket-activation.patch: Fix sshd
++      re-execution behavior when socket activation is used.
++    - debian/tests/systemd-socket-activation: Add autopkgtest
++      for systemd socket activation functionality.
++    - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no
++      for some tests.
++  * Dropped changes, fixed upstream:
++    - d/p/fix-ftbfs-with-zlib13.patch: fix ftbfs when using zlib 1.3
++      (LP #2049552)
++
++ -- Miriam España Acebal <miriam.espana@canonical.com>  Mon, 29 Jan 2024 11:16:31 +0100
++
  openssh (1:9.6p1-3) unstable; urgency=medium
    * Allow passing extra ssh-agent arguments via
@@ -148,6 +181,59 @@ openssh (1:9.5p1-1) experimental; urgency=medium
   -- Colin Watson <cjwatson@debian.org>  Thu, 23 Nov 2023 17:38:07 +0000
++openssh (1:9.4p1-1ubuntu2) noble; urgency=medium
++
++  * d/p/fix-ftbfs-with-zlib13.patch: fix ftbfs when using
++    zlib 1.3 (LP: #2049552).
++
++ -- Miriam España Acebal <miriam.espana@canonical.com>  Wed, 17 Jan 2024 20:00:55 +0100
++
++openssh (1:9.4p1-1ubuntu1) noble; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/rules: modify dh_installsystemd invocations for
++      socket-activated sshd
++    - debian/openssh-server.postinst: handle migration of sshd_config options
++      to systemd socket options on upgrade.
++    - debian/README.Debian: document systemd socket activation.
++    - debian/patches/socket-activation-documentation.patch: Document in
++      sshd_config(5) that ListenAddress and Port no longer work.
++    - debian/openssh-server.templates: include debconf prompt explaining
++      when migration cannot happen due to multiple ListenAddress values
++    - debian/.gitignore: drop file
++    - debian/openssh-server.postrm: remove systemd drop-ins for
++      socket-activated sshd on purge
++    - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
++    - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
++      /run/sshd creation out of the systemd unit to a tmpfile config so
++      that sshd can be run manually if necessary without having to create
++      this directory by hand.
++    - debian/patches/systemd-socket-activation.patch: Fix sshd
++      re-execution behavior when socket activation is used
++    - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
++      activation functionality.
++    - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
++  * Dropped changes, fixed upstream:
++    - d/p/fix-authorized-principals-command.patch: Fix the situation where
++      sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand
++      is also set by checking if the value pointed to by the pointer
++      'charptr' is NULL.
++    - debian/patches/CVE-2023-38408-1.patch: terminate process if requested
++      to load a PKCS#11 provider that isn't a PKCS#11 provider in
++      ssh-pkcs11.c.
++    - debian/patches/CVE-2023-38408-2.patch: disallow remote addition of
++      FIDO/PKCS11 provider in ssh-agent.1, ssh-agent.c.
++    - debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries
++      contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c.
++  * Dropped changes, affected package versions not published in supported
++    releases:
++    - debian/openssh-server.postint: do not try to restart systemd units,
++      and instead indicate that a reboot is required
++    - debian/tests/systemd-socket-activation: Reboot the testbed before starting the test
++    - debian/rules: Do not stop ssh.socket on upgrade
++
++ -- Nick Rosbrook <enr0n@ubuntu.com>  Mon, 13 Nov 2023 12:47:29 -0500
++
  openssh (1:9.4p1-1) unstable; urgency=medium
    * New upstream release (https://www.openssh.com/releasenotes.html#9.4p1):
@@ -236,6 +322,62 @@ openssh (1:9.3p2-1) unstable; urgency=high
   -- Colin Watson <cjwatson@debian.org>  Wed, 19 Jul 2023 22:49:14 +0100
++openssh (1:9.3p1-1ubuntu3) mantic; urgency=medium
++
++  * d/p/fix-authorized-principals-command.patch: Fix the situation where
++    sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand
++    is also set by checking if the value pointed to by the pointer
++    'charptr' is NULL. (LP: #2031942)
++
++ -- Michal Maloszewski <michal.maloszewski@canonical.com>  Thu, 24 Aug 2023 15:20:27 +0200
++
++openssh (1:9.3p1-1ubuntu2) mantic; urgency=medium
++
++  * SECURITY UPDATE: remote code execution relating to PKCS#11 providers
++    - debian/patches/CVE-2023-38408-1.patch: terminate process if requested
++      to load a PKCS#11 provider that isn't a PKCS#11 provider in
++      ssh-pkcs11.c.
++    - debian/patches/CVE-2023-38408-2.patch: disallow remote addition of
++      FIDO/PKCS11 provider in ssh-agent.1, ssh-agent.c.
++    - debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries
++      contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c.
++    - CVE-2023-38408
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 24 Jul 2023 15:01:06 -0400
++
++openssh (1:9.3p1-1ubuntu1) mantic; urgency=medium
++
++  * Merge with Debian unstable (LP: #2025664). Remaining changes:
++    - debian/rules: modify dh_installsystemd invocations for
++      socket-activated sshd
++    - debian/openssh-server.postinst: handle migration of sshd_config options
++      to systemd socket options on upgrade.
++    - debian/README.Debian: document systemd socket activation.
++    - debian/patches/socket-activation-documentation.patch: Document in
++      sshd_config(5) that ListenAddress and Port no longer work.
++    - debian/openssh-server.templates: include debconf prompt explaining
++      when migration cannot happen due to multiple ListenAddress values
++    - debian/.gitignore: drop file
++    - debian/openssh-server.postrm: remove systemd drop-ins for
++      socket-activated sshd on purge
++    - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
++    - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
++      /run/sshd creation out of the systemd unit to a tmpfile config so
++      that sshd can be run manually if necessary without having to create
++      this directory by hand.
++    - debian/patches/systemd-socket-activation.patch: Fix sshd
++      re-execution behavior when socket activation is used
++    - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
++      activation functionality.
++    - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
++    - Ensure smooth upgrade path from versions affected by LP: #2020474:
++      + debian/openssh-server.postint: do not try to restart systemd units,
++        and instead indicate that a reboot is required
++      + debian/tests/systemd-socket-activation: Reboot the testbed before starting the test
++      + debian/rules: Do not stop ssh.socket on upgrade
++
++ -- Nick Rosbrook <nick.rosbrook@canonical.com>  Mon, 03 Jul 2023 11:34:47 -0400
++
  openssh (1:9.3p1-1) unstable; urgency=medium
    * Debconf translations:
@@ -293,6 +435,64 @@ openssh (1:9.3p1-1) unstable; urgency=medium
   -- Colin Watson <cjwatson@debian.org>  Tue, 20 Jun 2023 01:01:48 +0100
++openssh (1:9.2p1-2ubuntu3) mantic; urgency=medium
++
++  * Fix upgrade of openssh-server with active ssh session (LP: #2020474)
++    - debian/patches/systemd-socket-activation.patch:
++      + Do force closing of listen sockets in child process
++      + Set rexec_flag = 0 when sshd is socket-activated so that child process
++        does not re-exec
++    - debian/openssh-server.postint:
++      + When upgrading from affected versions of openssh, do not try to
++        restart systemd units, and instead indicate that a reboot is required
++    - debian/tests/systemd-socket-activation:
++      + Reboot the testbed before starting the test
++    - debian/rules:
++      + Do not stop ssh.socket on upgrade
++  * d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
++
++ -- Nick Rosbrook <nick.rosbrook@canonical.com>  Wed, 24 May 2023 18:02:11 -0400
++
++openssh (1:9.2p1-2ubuntu2) mantic; urgency=medium
++
++  * debian/README.Debian: Fix path of addresses.conf drop-in
++
++ -- Nick Rosbrook <nick.rosbrook@canonical.com>  Tue, 23 May 2023 10:50:35 -0400
++
++openssh (1:9.2p1-2ubuntu1) mantic; urgency=medium
++
++  * Merge with Debian unstable (LP: #2018094). Remaining changes:
++    - debian/rules: modify dh_installsystemd invocations for
++      socket-activated sshd
++    - debian/openssh-server.postinst: handle migration of sshd_config options
++      to systemd socket options on upgrade.
++    - debian/README.Debian: document systemd socket activation.
++    - debian/patches/socket-activation-documentation.patch: Document in
++      sshd_config(5) that ListenAddress and Port no longer work.
++    - debian/openssh-server.templates: include debconf prompt explaining
++      when migration cannot happen due to multiple ListenAddress values
++    - debian/.gitignore: drop file
++    - debian/openssh-server.postrm: remove systemd drop-ins for
++      socket-activated sshd on purge
++    - debian/openssh-server.ucf-md5sum: Update list of stock sshd_config
++      checksums to include those from jammy and kinetic.
++    - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
++      /run/sshd creation out of the systemd unit to a tmpfile config so
++      that sshd can be run manually if necessary without having to create
++      this directory by hand.
++    - debian/patches/systemd-socket-activation.patch: Fix sshd
++      re-execution behavior when socket activation is used
++    - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
++      activation functionality.
++  * Dropped changes, included in Debian:
++    - debian/patches/systemd-socket-activation.patch: Initial implementation
++  * New changes:
++    - debian/README.Debian: mention drop-in configurations in instructions
++      for disabling sshd socket activation (LP: #2017434).
++    - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
++
++ -- Nick Rosbrook <nick.rosbrook@canonical.com>  Fri, 19 May 2023 15:18:17 -0400
++
  openssh (1:9.2p1-2) unstable; urgency=medium
    * Fix mistakenly-unreleased entry for 1:9.2p1-1 in debian/NEWS.
@@ -544,6 +744,105 @@ openssh (1:9.1p1-1) unstable; urgency=medium
   -- Colin Watson <cjwatson@debian.org>  Mon, 14 Nov 2022 16:25:45 +0000
++openssh (1:9.0p1-1ubuntu8.1) lunar; urgency=medium
++
++  * debian/patches/systemd-socket-activation.patch: Fix re-execution behavior
++    (LP: #2011458):
++    - Remove FD_CLOEXEC on fds passed by systemd to prevent automatic closing
++      when sshd re-executes.
++    - Do not manually close fds passed by systemd when re-executing.
++    - Only call sd_listen_fds() once, and only in the parent process.
++    - Check the LISTEN_FDS environment variable to get the number of fds
++      passed by systemd when re-executing as a child process.
++  * debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
++    activation functionality.
++
++ -- Nick Rosbrook <nick.rosbrook@canonical.com>  Fri, 31 Mar 2023 12:44:32 -0400
++
++openssh (1:9.0p1-1ubuntu8) lunar; urgency=medium
++
++  * debian/openssh-server.postinst: Fix handling of ListenAddress when a port
++    is specified (LP: #1993478):
++    - Strip port before converting hostnames to numerical addresses.
++    - Only append ports when the ListenAddress does not already specify a
++      port.
++    - Revert socket migration on upgrade if a previous version did the
++      migration when it should not have.
++  * debian/openssh-server.postinst: Ignore empty directory failure from rmdir
++    when skipping socket migration (LP: #1995294).
++
++ -- Nick Rosbrook <nick.rosbrook@canonical.com>  Tue, 25 Oct 2022 11:57:43 -0400
++
++openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium
++
++  * Update list of stock sshd_config checksums to include those from
++    jammy and kinetic.
++  * Add a workaround for LP: #1990863 (now fixed in livecd-rootfs) to
++    avoid spurious ucf prompts on upgrade.
++  * Move /run/sshd creation out of the systemd unit to a tmpfile config
++    so that sshd can be run manually if necessary without having to create
++    this directory by hand.  LP: #1991283.
++
++  [ Nick Rosbrook ]
++  * debian/openssh-server.postinst: Fix addresses.conf generation when only
++    non-default Port is used in /etc/ssh/sshd_config (LP: #1991199).
++
++ -- Steve Langasek <vorlon@debian.org>  Mon, 26 Sep 2022 21:55:14 +0000
++
++openssh (1:9.0p1-1ubuntu6) kinetic; urgency=medium
++
++  * Fix syntax error in postinst :/
++
++ -- Steve Langasek <vorlon@debian.org>  Fri, 23 Sep 2022 19:51:32 +0000
++
++openssh (1:9.0p1-1ubuntu5) kinetic; urgency=medium
++
++  * Correctly handle the case of new installs, and correctly apply systemd
++    unit overrides on upgrade from existing kinetic systems.
++
++ -- Steve Langasek <vorlon@debian.org>  Fri, 23 Sep 2022 19:45:18 +0000
++
++openssh (1:9.0p1-1ubuntu4) kinetic; urgency=medium
++
++  * Don't migrate users to socket activation if multiple ListenAddresses
++    might make sshd unreliable on boot.
++  * Fix regexp bug that prevented proper migration of IPv6 address settings.
++
++ -- Steve Langasek <vorlon@debian.org>  Fri, 23 Sep 2022 19:35:37 +0000
++
++openssh (1:9.0p1-1ubuntu3) kinetic; urgency=medium
++
++  * Document in the default sshd_config file the changes in behavior
++    triggered by use of socket-based activation.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 26 Aug 2022 00:40:11 +0000
++
++openssh (1:9.0p1-1ubuntu2) kinetic; urgency=medium
++
++  * Fix manpage to not claim socket-based activation is the default on
++    Debian!
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 26 Aug 2022 00:21:42 +0000
++
++openssh (1:9.0p1-1ubuntu1) kinetic; urgency=medium
++
++  * debian/patches/systemd-socket-activation.patch: support systemd
++    socket activation.
++  * debian/systemd/ssh.socket, debian/systemd/ssh.service: use socket
++    activation by default.
++  * debian/rules: rejigger dh_installsystemd invocations so ssh.service and
++    ssh.socket don't fight.
++  * debian/openssh-server.postinst: handle migration of sshd_config options
++    to systemd socket options on upgrade.
++  * debian/README.Debian: document systemd socket activation.
++  * debian/patches/socket-activation-documentation.patch: Document in
++    sshd_config(5) that ListenAddress and Port no longer work.
++  * debian/openssh-server.templates, debian/openssh-server.postinst: include
++    debconf warning about possible service failure with multiple
++    ListenAddress settings.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 19 Aug 2022 20:43:16 +0000
++
  openssh (1:9.0p1-1) unstable; urgency=medium
    * New upstream release (https://www.openssh.com/releasenotes.html#9.0p1):
 diff --git a/debian/control b/debian/control
 index b2dbb80..e93b516 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: openssh
  Section: net
  Priority: standard
--Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
  Build-Depends: debhelper (>= 13.1~),
                 debhelper-compat (= 13),
                 dh-exec,
 diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
 index 4114d35..cb9a301 100644
 --- a/debian/openssh-server.postinst
 +++ b/debian/openssh-server.postinst
@@ -17,6 +17,87 @@ get_config_option() {
  	/usr/sbin/sshd -G | sed -n "s/^$option //Ip"
+ }
++get_config_option_all() {
++	option="$1"
++	file="$2"
++
++	if [ -z "$file" ]; then
++		file=/etc/ssh/sshd_config
++	fi
++
++	[ -f "$file" ] || return 0
++	# ListenAddress and Port only take a single word argument so anything
++	# after this must be a comment
++	while read option2 value junk; do
++		case $option2 in
++			$option)
++				echo $value
++				;;
++			Include)
++				# globs
++				for f in $value; do
++					get_config_option_all "$option" "$f"
++				done
++				;;
++		esac
++	done < $file
++}
++
++hostnames_to_addresses() {
++	addresses="$1"
++	for address in $addresses; do
++		address_no_port="$(address_strip_port $address)"
++		if echo "$address_no_port" | grep -q '^[0-9a-f:]\+$\|^[0-9.]\+$'; then
++			numeric_addresses="$numeric_addresses $address"
++		else
++			new_addresses=$( (getent ahostsv4 $address_no_port;
++			                  getent ahostsv6 $address_no_port) \
++			   | awk '$1 ~ /^::ffff:/ || $2 != "STREAM" { next; }
++			          $1 ~ /:/ { print "[" $1 "]"; next; }
++			          { print $1 }' \
++			   | sort -u)
++			port="$(port_from_address $address)"
++			if [ -n "$port" ]; then
++				new_addresses="$(for addr in $new_addresses; do echo $addr:$port; done)"
++			fi
++			numeric_addresses="$numeric_addresses $new_addresses"
++		fi
++	done
++	echo "$numeric_addresses"
++}
++
++port_from_address() {
++        address="$1"
++        if echo $address | grep -q '^\[[0-9a-f:]*\]:'; then
++                # This is an IPv6 address with a port.
++                port="$(echo $address | awk -F':' '{print $NF}')"
++        elif echo $address | grep -q '^\[[0-9a-f:]*\]\+$\|^[0-9a-f:]\+$'; then
++                # This is an IPv6 address without a port.
++                port=""
++        else
++                # This is an IPv4 address or hostname, where the port
++                # may or may not be specified.
++                port="$(echo $address | awk -F':' '{print $2}')"
++        fi
++        echo "$port"
++}
++
++address_strip_port() {
++        address="$1"
++        if echo $address | grep -q '^\[[0-9a-f:]*\]\(:\|$\)'; then
++                # This is an IPv6 address in brackets, with or without a port.
++                address_no_port="$(echo $address | awk -F '[][]' '{print $2}')"
++        elif echo $address | grep -q '^[0-9a-f:]\+$'; then
++                # This is an IPv6 address with no brackets and no port.
++                address_no_port="$address"
++        else
++                # This is an IPv4 address or hostname, where the port
++                # may or may not be specified.
++                address_no_port="$(echo $address | awk -F':' '{print $1}')"
++        fi
++        echo "$address_no_port"
++}
++
  create_key() {
  	msg="$1"
@@ -54,15 +135,20 @@ create_keys() {
  new_config=
++workaround=
  cleanup() {
  	if [ "$new_config" ]; then
  		rm -f "$new_config"
  	fi
++	if [ "$workaround" ]; then
++		rm -f "$workaround"
++	fi
+ }
  create_sshdconfig() {
++	prev_ver="$1"
  	# XXX cjwatson 2016-12-24: This debconf template is very confusingly
  	# named; its description is "Disable SSH password authentication for
  	# root?", so true -> prohibit-password (the upstream default),
@@ -84,6 +170,21 @@ create_sshdconfig() {
  			"$new_config"
  	fi
  	mkdir -pZ /etc/ssh
++
++	# Workaround for LP: #1968873: if we have an sshd_config with a known
++	# checksum, confirm it via ucf before applying the changes from
++	# the new version.
++	if dpkg --compare-versions "$prev_ver" lt-nl 1:9.0p1-1ubuntu7 \
++	   && grep -q "^$(md5sum /etc/ssh/sshd_config | awk '{ print $1 }')" \
++	              /usr/share/openssh/sshd_config.md5sum
++	then
++		workaround="$(mktemp)"
++		sed -e'14,16d' "$new_config" > "$workaround"
++		ucf --three-way --debconf-ok \
++			--sum-file /usr/share/openssh/sshd_config.md5sum \
++			"$workaround" /etc/ssh/sshd_config
++	fi
++
  	ucf --three-way --debconf-ok \
  		--sum-file /usr/share/openssh/sshd_config.md5sum \
  		"$new_config" /etc/ssh/sshd_config
@@ -97,7 +198,7 @@ setup_sshd_user() {
+ }
  if [ "$action" = configure ]; then
--	create_sshdconfig
++	create_sshdconfig "$2"
  	create_keys
  	setup_sshd_user
  	if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \
@@ -110,18 +211,104 @@ if [ "$action" = configure ]; then
  	    # which we now move back into place.
  	    mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli
  	fi
--	if dpkg --compare-versions "$2" lt-nl 1:9.1p1-1~ && \
--	   deb-systemd-helper --quiet was-enabled ssh.socket && \
--	   [ -d /run/systemd/system ]
++	if dpkg --compare-versions "$2" lt-nl 1:9.0p1-1ubuntu8~
  	then
  		# migrate to systemd socket activation.
--		systemctl unmask ssh.service
--		systemctl disable ssh.service
++		addresses=$(get_config_option_all ListenAddress)
++		addresses=$(hostnames_to_addresses "$addresses")
++		ports=$(get_config_option_all Port)
++		if [ -n "$addresses$ports" ]
++		then
++			override_dir=/etc/systemd/system/ssh.socket.d
++			mkdir -p "$override_dir"
++			echo '[Socket]' > "$override_dir"/addresses.conf.new
++			echo 'ListenStream=' >> "$override_dir"/addresses.conf.new
++		fi
++		if [ -n "$addresses" ]; then
++			[ -n "$ports" ] || ports=22
++			count=0
++			for address in $addresses; do
++				count=$((count+1))
++				port_from_address="$(port_from_address $address)"
++				if [ -z "$port_from_address" ]; then
++					for port in $ports; do
++						echo "ListenStream=$address:$port" \
++						     >> "$override_dir"/addresses.conf.new
++					done
++				else
++					echo "ListenStream=$address" \
++					     >> "$override_dir"/addresses.conf.new
++				fi
++			done
++			if [ $count -gt 1 ]; then
++				db_input critical openssh-server/listenstream-may-fail || true
++				db_go || true
++				rm -f "$override_dir"/addresses.conf.new
++				rmdir --ignore-fail-on-non-empty "$override_dir"
++				NO_SOCKET_MIGRATION=1
++			fi
++		elif [ -n "$ports" ]; then
++			for port in $ports; do
++				echo "ListenStream=$port" \
++				     >> "$override_dir"/addresses.conf.new
++			done
++		fi
++
++		if [ -z "$NO_SOCKET_MIGRATION" ] && [ -n "$addresses$ports" ]
++		then
++                    mv "$override_dir"/addresses.conf.new \
++                       "$override_dir"/addresses.conf
++		fi
  	fi
++	if dpkg --compare-versions "$2" lt 1:9.0p1-1ubuntu5~; then
++		if [ -z "$NO_SOCKET_MIGRATION" ]; then
++			override_dir=/etc/systemd/system/ssh.service.d
++			mkdir -p "$override_dir"
++			echo '[Unit]' > "$override_dir"/00-socket.conf
++			echo 'After=ssh.socket' >> "$override_dir"/00-socket.conf
++			echo 'Requires=ssh.socket' >> "$override_dir"/00-socket.conf
++
++			# deb-systemd-helper is inadequate for the task of
++			# changing policy for the units on upgrade
++			if [ -d /run/systemd/system ]; then
++				systemctl daemon-reload
++				systemctl disable ssh.service
++				systemctl unmask ssh.service
++				systemctl stop ssh.service
++				systemctl enable ssh.socket
++			fi
++		fi
++	fi
++
++        # Revert socket migration if we can determine the user hit
++        # LP: #1993478.
++        if dpkg --compare-versions "$2" lt-nl 1:9.0p1-1ubuntu7~ \
++           && [ -e /etc/systemd/system/ssh.socket.d/addresses.conf ] \
++           && [ -e /etc/systemd/system/ssh.service.d/00-socket.conf ] \
++           && [ -n "$NO_SOCKET_MIGRATION" ]; then
++                rm /etc/systemd/system/ssh.socket.d/addresses.conf
++                rmdir --ignore-fail-on-non-empty /etc/systemd/system/ssh.socket.d
++                rm /etc/systemd/system/ssh.service.d/00-socket.conf
++                rmdir --ignore-fail-on-non-empty /etc/systemd/system/ssh.service.d
++		if [ -d /run/systemd/system ]; then
++			systemctl daemon-reload
++			systemctl disable ssh.socket
++			systemctl stop ssh.socket
++			systemctl enable ssh.service
++		fi
++        fi
  fi
  #DEBHELPER#
++if [ -d /run/systemd/system ]; then
++	if deb-systemd-helper --quiet was-enabled ssh.socket; then
++		deb-systemd-invoke restart ssh.socket
++	elif deb-systemd-helper --quiet was-enabled ssh.service; then
++		deb-systemd-invoke restart ssh.service
++	fi
++fi
++
  db_stop
  exit 0
 diff --git a/debian/openssh-server.postrm b/debian/openssh-server.postrm
 index fbaeb17..46798dd 100644
 --- a/debian/openssh-server.postrm
 +++ b/debian/openssh-server.postrm
@@ -23,6 +23,10 @@ case $1 in
  		if command -v ucfr >/dev/null 2>&1; then
  			ucfr --purge openssh-server /etc/ssh/sshd_config
  		fi
++		rm -f /etc/systemd/system/ssh.service.d/00-socket.conf
++		rm -f /etc/systemd/system/ssh.socket.d/addresses.conf
++		rmdir /etc/systemd/system/ssh.service.d || true
++		rmdir /etc/systemd/system/ssh.socket.d || true
  		rm -f /etc/ssh/sshd_not_to_be_run
  		[ ! -d /etc/ssh ] || rmdir --ignore-fail-on-non-empty /etc/ssh
 diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates
 index e071fe3..31f2935 100644
 --- a/debian/openssh-server.templates
 +++ b/debian/openssh-server.templates
@@ -21,3 +21,15 @@ Description: Allow password authentication?
   By default, the SSH server will allow authenticating using a password.
   You may want to change this if all users on this system authenticate using
   a stronger authentication method, such as public keys.
++
++Template: openssh-server/listenstream-may-fail
++Type: error
++_Description: Not migrating to socket activation
++ This version of openssh-server uses socket-based activation by default.
++ However, because you have more than one ListenAddress configured in
++ sshd_config, it is impossible to determine at upgrade time if migrating
++ you to socket-based activation would cause the starting of sshd at boot
++ to be unreliable.
++ .
++ Because a failure to start ssh may make it impossible to admininister a
++ system, you will not be migrated to socket-based activation at this time.
 diff --git a/debian/openssh-server.tmpfile b/debian/openssh-server.tmpfile
 new file mode 100644
 index 0000000..76c6323
 --- /dev/null
 +++ b/debian/openssh-server.tmpfile
@@ -0,0 +1,2 @@
++#Type	Path				Mode	UID	GID	Age	Arguments
++D	/run/sshd			0755	root	root	-	-
 diff --git a/debian/openssh-server.ucf-md5sum b/debian/openssh-server.ucf-md5sum
 index 3a9dc23..9a8efb6 100644
 --- a/debian/openssh-server.ucf-md5sum
 +++ b/debian/openssh-server.ucf-md5sum
@@ -103,8 +103,32 @@ cc873ab3ccc9cf3a3830c3c0728c0d0b
 f1bec115595c0f76282d80abe5d9bcc
  ae1a449c8adb31cb603e28fda5342696
++# From 1:8.4p1-5
++6dbdc3a27e1953d209f929df7aff0c57
++0ef8c8fe6a3afd12382dbb93cd7bbb4e
++ae1a449c8adb31cb603e28fda5342696
++9f1bec115595c0f76282d80abe5d9bcc
++
  # From 1:8.7p1-1:
  fe83fd23553510bb632dc8e6e35ab41a
  d96ecd9064ea650c44372a5a33d3e497
 fdb195ac56e0bf1992e18ac656811af
 e03b4df60cd00c651777ec14ff76aef
++
++# From 1:8.9p1-3
++30e0fe758429c57d35a5e71dbd8dd2f8
++23a8a2b1a8f1538be49eb86313367191
++133f5f0119fbf5716b7d72048b25ea71
++697a81708f11897cb0fef857563dee55
++
++# From 1:9.0p1-1ubuntu3
++90ace5da6c7eb3041732930972662f34
++b2c07b86695152141e84f44e4414104a
++e7b9120b6e68c5666ac21a0cc03d4806
++9389be84e67cd5a91b97de5ff03c9306
++
++# From 1:9.2p1-2ubuntu1
++fac56840f6697a357368bb878dd8fb87
++d01da8c9de75176095712d4e37d5dcd5
++e4898846045f33b8d99d3263d6f6fd81
++ec46dc59ba9c9e9458add405264fcedd
 diff --git a/debian/patches/series b/debian/patches/series
 index 2170a6a..42a873f 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -26,3 +26,5 @@ maxhostnamelen.patch
  conch-ssh-rsa.patch
  systemd-socket-activation.patch
  broken-zero-call-used-regs.patch
++socket-activation-documentation.patch
++test-set-UsePAM-no-on-some-tests.patch
 diff --git a/debian/patches/socket-activation-documentation.patch b/debian/patches/socket-activation-documentation.patch
 new file mode 100644
 index 0000000..9afde55
 --- /dev/null
 +++ b/debian/patches/socket-activation-documentation.patch
@@ -0,0 +1,50 @@
++Index: openssh-9.0p1/sshd_config.5
++===================================================================
++--- openssh-9.0p1.orig/sshd_config.5
+++++ openssh-9.0p1/sshd_config.5
++@@ -1069,6 +1069,15 @@
++ Multiple
++ .Cm ListenAddress
++ options are permitted.
+++.Pp
+++.Cm Note:
+++On Ubuntu, the openssh-server package is configured to use systemd
+++socket-based activation by default.  Therefore if you are using systemd with
+++the default configuration,
+++.Cm ListenAddress
+++options will not be honored.  Address configuration must be handled in
+++.Pa /etc/systemd/system/ssh.socket.d
+++instead.
++ .It Cm LoginGraceTime
++ The server disconnects after this time if the user has not
++ successfully logged in.
++@@ -1520,6 +1529,15 @@
++ Multiple options of this type are permitted.
++ See also
++ .Cm ListenAddress .
+++.Pp
+++.Cm Note:
+++On Ubuntu, the openssh-server package is configured to use systemd
+++socket-based activation by default.  Therefore if you are using systemd with
+++the default configuration,
+++.Cm Port
+++options will not be honored.  Address configuration must be handled in
+++.Pa /etc/systemd/system/ssh.socket.d
+++instead.
++ .It Cm PrintLastLog
++ Specifies whether
++ .Xr sshd 8
++Index: openssh-9.0p1/sshd_config
++===================================================================
++--- openssh-9.0p1.orig/sshd_config
+++++ openssh-9.0p1/sshd_config
++@@ -12,6 +12,9 @@
++
++ Include /etc/ssh/sshd_config.d/*.conf
++
+++# Port and ListenAddress options are not used when sshd is socket-activated,
+++# which is now the default in Ubuntu.  See sshd_config(5) and
+++# /usr/share/doc/openssh-server/README.Debian.gz for details.
++ #Port 22
++ #AddressFamily any
++ #ListenAddress 0.0.0.0
 diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch
 index 73afb88..8e1ce7c 100644
 --- a/debian/patches/systemd-socket-activation.patch
 +++ b/debian/patches/systemd-socket-activation.patch
@@ -1,47 +1,72 @@
--From 7fa10262be3c7d9fd2fca9c9710ac4ef3f788b08 Mon Sep 17 00:00:00 2001
--From: Steve Langasek <steve.langasek@ubuntu.com>
--Date: Thu, 1 Sep 2022 16:03:37 +0100
--Subject: Support systemd socket activation
++Description: support systemd socket activation
++ Unlike inetd socket activation, with systemd socket activation the
++ supervisor passes the listened-on socket to the child process and lets
++ the child process handle the accept().  This lets us do delayed start
++ of the sshd daemon without becoming incompatible with config options
++ like ClientAliveCountMax.
++Author: Steve Langasek <steve.langasek@ubuntu.com>
++Author: Nick Rosbrook <nick.rosbrook@canonical.com>
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2011458
++Last-Update: 2023-05-25
--Unlike inetd socket activation, with systemd socket activation the
--supervisor passes the listened-on socket to the child process and lets
--the child process handle the accept().  This lets us do delayed start
--of the sshd daemon without becoming incompatible with config options
--like ClientAliveCountMax.
--
--Last-Update: 2022-09-01
--
--Patch-Name: systemd-socket-activation.patch
-----
-- sshd.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++---------
-- 1 file changed, 75 insertions(+), 14 deletions(-)
--
--diff --git a/sshd.c b/sshd.c
--index 356bd6c02..6dfa5fffe 100644
  --- a/sshd.c
  +++ b/sshd.c
--@@ -140,10 +140,16 @@ int deny_severity;
++@@ -139,11 +139,14 @@
++ int deny_severity;
   #endif /* LIBWRAP */
+++/* This will only get set if we build with systemd. */
+++static int systemd_num_listen_fds;
+++
   /* Re-exec fds */
  -#define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
  -#define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
  -#define REEXEC_CONFIG_PASS_FD		(STDERR_FILENO + 3)
  -#define REEXEC_MIN_FREE_FD		(STDERR_FILENO + 4)
--+#ifdef HAVE_SYSTEMD
--+#define SYSTEMD_OFFSET sd_listen_fds(0)
--+#else
--+#define SYSTEMD_OFFSET 0
--+#endif
--+
--+#define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1 + SYSTEMD_OFFSET)
--+#define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2 + SYSTEMD_OFFSET)
--+#define REEXEC_CONFIG_PASS_FD		(STDERR_FILENO + 3 + SYSTEMD_OFFSET)
--+#define REEXEC_MIN_FREE_FD		(STDERR_FILENO + 4 + SYSTEMD_OFFSET)
+++#define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1 + systemd_num_listen_fds)
+++#define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2 + systemd_num_listen_fds)
+++#define REEXEC_CONFIG_PASS_FD		(STDERR_FILENO + 3 + systemd_num_listen_fds)
+++#define REEXEC_MIN_FREE_FD		(STDERR_FILENO + 4 + systemd_num_listen_fds)
   extern char *__progname;
--@@ -1020,6 +1026,48 @@ server_accept_inetd(int *sock_in, int *sock_out)
++@@ -194,6 +197,7 @@
++  */
++ #define	MAX_LISTEN_SOCKS	16
++ static int listen_socks[MAX_LISTEN_SOCKS];
+++static int listen_socks_no_close[MAX_LISTEN_SOCKS];
++ static int num_listen_socks = 0;
++
++ /* Daemon's agent connection */
++@@ -279,12 +283,16 @@
++  * Close all listening sockets
++  */
++ static void
++-close_listen_socks(void)
+++close_listen_socks(int force)
++ {
++ 	int i;
++
++-	for (i = 0; i < num_listen_socks; i++)
+++	for (i = 0; i < num_listen_socks; i++) {
+++		if (listen_socks_no_close[i] > 0 && force <= 0)
+++			continue;
+++
++ 		close(listen_socks[i]);
+++        }
++ 	num_listen_socks = 0;
++ }
++
++@@ -322,7 +330,7 @@
++ 	if (options.pid_file != NULL)
++ 		unlink(options.pid_file);
++ 	platform_pre_restart();
++-	close_listen_socks();
+++	close_listen_socks(/* force = */ 0);
++ 	close_startup_pipes();
++ 	ssh_signal(SIGHUP, SIG_IGN); /* will be restored after exec */
++ 	execv(saved_argv[0], saved_argv);
++@@ -1020,6 +1028,65 @@
   	debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
+  }
@@ -52,7 +77,7 @@ index 356bd6c02..6dfa5fffe 100644
  +static void
  +setup_systemd_socket(int listen_sock)
  +{
--+	int ret;
+++	int flags, ret;
  +	struct sockaddr_storage addr;
  +	socklen_t len = sizeof(addr);
  +	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -77,10 +102,27 @@ index 356bd6c02..6dfa5fffe 100644
  +		close(listen_sock);
  +		return;
  +	}
+++
  +	/* Socket options */
  +	set_reuseaddr(listen_sock);
+ +
+++	/* systemd sets FD_CLOEXEC on the fds it passes to us, but we need this
+++	 * to stay open across re-exec. */
+++	flags = fcntl(listen_sock, F_GETFD);
+++	if (flags < 0) {
+++	        error("Failed to get fd flags: %s", strerror(errno));
+++	        close(listen_sock);
+++	        return;
+++	}
+++
+++	if (fcntl(listen_sock, F_SETFD, flags & ~FD_CLOEXEC) < 0) {
+++	        error("Failed to clear FD_CLOEXEC flag: %s", strerror(errno));
+++	        close(listen_sock);
+++	        return;
+++	}
+++
  +	listen_socks[num_listen_socks] = listen_sock;
+++	listen_socks_no_close[num_listen_socks] = 1;
  +	num_listen_socks++;
+ +
  +	logit("Server listening on %s port %s.", ntop, strport);
@@ -90,15 +132,7 @@ index 356bd6c02..6dfa5fffe 100644
   /*
    * Listen for TCP connections
    */
--@@ -1099,22 +1147,35 @@ static void
-- server_listen(void)
-- {
-- 	u_int i;
--+#ifdef HAVE_SYSTEMD
--+	int systemd_socket_count;
--+#endif
--
-- 	/* Initialise per-source limit tracking. */
++@@ -1104,17 +1171,26 @@
   	srclimit_init(options.max_startups, options.per_source_max_startups,
   	    options.per_source_masklen_ipv4, options.per_source_masklen_ipv6);
@@ -108,12 +142,16 @@ index 356bd6c02..6dfa5fffe 100644
  -		free(options.listen_addrs[i].rdomain);
  -		memset(&options.listen_addrs[i], 0,
  -		    sizeof(options.listen_addrs[i]));
++-	}
++-	free(options.listen_addrs);
++-	options.listen_addrs = NULL;
++-	options.num_listen_addrs = 0;
++-
  +#ifdef HAVE_SYSTEMD
--+	systemd_socket_count = sd_listen_fds(0);
--+	if (systemd_socket_count > 0)
+++	if (systemd_num_listen_fds > 0)
  +	{
  +		int i;
--+		for (i = 0; i < systemd_socket_count; i++)
+++		for (i = 0; i < systemd_num_listen_fds; i++)
  +			setup_systemd_socket(SD_LISTEN_FDS_START + i);
  +	} else
  +#endif
@@ -128,11 +166,65 @@ index 356bd6c02..6dfa5fffe 100644
  +		free(options.listen_addrs);
  +		options.listen_addrs = NULL;
  +		options.num_listen_addrs = 0;
-- 	}
---	free(options.listen_addrs);
---	options.listen_addrs = NULL;
---	options.num_listen_addrs = 0;
---
+++	}
   	if (!num_listen_socks)
   		fatal("Cannot bind any address.");
+  }
++@@ -1169,7 +1245,7 @@
++ 		if (received_sigterm) {
++ 			logit("Received signal %d; terminating.",
++ 			    (int) received_sigterm);
++-			close_listen_socks();
+++			close_listen_socks(/* force = */ 1);
++ 			if (options.pid_file != NULL)
++ 				unlink(options.pid_file);
++ 			exit(received_sigterm == SIGTERM ? 0 : 255);
++@@ -1183,7 +1259,7 @@
++ 		if (received_sighup) {
++ 			if (!lameduck) {
++ 				debug("Received SIGHUP; waiting for children");
++-				close_listen_socks();
+++				close_listen_socks(/* force = */ 0);
++ 				lameduck = 1;
++ 			}
++ 			if (listening <= 0) {
++@@ -1310,7 +1386,7 @@
++ 				 * connection without forking.
++ 				 */
++ 				debug("Server will not fork when running in debugging mode.");
++-				close_listen_socks();
+++				close_listen_socks(/* force = */ 0);
++ 				*sock_in = *newsock;
++ 				*sock_out = *newsock;
++ 				close(startup_p[0]);
++@@ -1344,7 +1420,7 @@
++ 				platform_post_fork_child();
++ 				startup_pipe = startup_p[1];
++ 				close_startup_pipes();
++-				close_listen_socks();
+++				close_listen_socks(/* force = */ 1);
++ 				*sock_in = *newsock;
++ 				*sock_out = *newsock;
++ 				log_init(__progname,
++@@ -1715,6 +1791,21 @@
++ 			break;
++ 		}
++ 	}
+++
+++#ifdef HAVE_SYSTEMD
+++        /* We should call sd_listen_fds() exactly once. If we call
+++         * sd_listen_fds() more than once, then FD_CLOEXEC will be
+++         * re-configured for the passed fds, which will cause problems during
+++         * re-execution. The FD_CLOEXEC flag will be cleared by
+++         * setup_systemd_socket(). */
+++        r = sd_listen_fds(0);
+++        if (r < 0)
+++                fatal("Failed to get systemd socket fds: %s", strerror(-r));
+++
+++        systemd_num_listen_fds = r;
+++        rexec_flag = 0;
+++#endif
+++
++ 	if (rexeced_flag || inetd_flag)
++ 		rexec_flag = 0;
++ 	if (!test_flag && !do_dump_cfg && rexec_flag && !path_absolute(av[0]))
 diff --git a/debian/patches/test-set-UsePAM-no-on-some-tests.patch b/debian/patches/test-set-UsePAM-no-on-some-tests.patch
 new file mode 100644
 index 0000000..207f495
 --- /dev/null
 +++ b/debian/patches/test-set-UsePAM-no-on-some-tests.patch
@@ -0,0 +1,41 @@
++Description: Set UsePAM=no for regress/putty-*.sh
++ Currently these tests fails in the autopkgtest infrastructure due to pam_loginuid.so
++ failures. These failures cannot currently be replicated locally. Workaround this
++ by setting UsePAM=no for the failing tests since their functionality is not tesing
++ PAM.
++Author: Nick Rosbrook <nick.rosbrook@canonical.com>
++Forwarded: no
++Last-Update: 2023-05-25
++--- a/regress/putty-ciphers.sh
+++++ b/regress/putty-ciphers.sh
++@@ -14,6 +14,8 @@
++ 	echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
++ fi
++
+++sed -i "s/UsePAM.*/UsePAM no/" ${OBJ}/sshd_proxy
+++
++ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
++ 	verbose "$tid: cipher $c"
++ 	cp ${OBJ}/.putty/sessions/localhost_proxy \
++--- a/regress/putty-kex.sh
+++++ b/regress/putty-kex.sh
++@@ -14,6 +14,8 @@
++ 	echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
++ fi
++
+++sed -i "s/UsePAM.*/UsePAM no/" ${OBJ}/sshd_proxy
+++
++ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
++ 	verbose "$tid: kex $k"
++ 	cp ${OBJ}/.putty/sessions/localhost_proxy \
++--- a/regress/putty-transfer.sh
+++++ b/regress/putty-transfer.sh
++@@ -14,6 +14,8 @@
++ 	echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
++ fi
++
+++sed -i "s/UsePAM.*/UsePAM no/" ${OBJ}/sshd_proxy
+++
++ if [ "`${SSH} -Q compression`" = "none" ]; then
++ 	comp="0"
++ else
 diff --git a/debian/po/cs.po b/debian/po/cs.po
 index d01e0ff..21b4c7b 100644
 --- a/debian/po/cs.po
 +++ b/debian/po/cs.po
@@ -7,7 +7,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh 1:6.6p1-1\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: 2014-06-12 12:25+0200\n"
  "Last-Translator: Michal Simunek <michal.simunek@gmail.com>\n"
  "Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n"
@@ -53,3 +53,28 @@ msgstr ""
  "poškodit systémy, které jsou nastaveny s předpokladem, že bude možné se "
  "přihlašovat přes SSH jako root pomocí ověřování heslem. Změnu této volby "
  "byste měli provést pouze pokud ověřování heslem potřebujete."
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/po/da.po b/debian/po/da.po
 index 70d576d..a08ca3b 100644
 --- a/debian/po/da.po
 +++ b/debian/po/da.po
@@ -7,7 +7,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: 2014-03-21 23:51+0200\n"
  "Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
  "Language-Team: Danish <debian-l10n-danish@lists.debian.org>\n"
@@ -53,3 +53,28 @@ msgstr ""
  "Det kan dog ødelægge systemer, som er opsat med forventning om at kunne SSH "
  "som root via brug af adgangskodegodkendelse. Du skal kun lave denne ændring, "
  "hvis du ikke har brug for dette."
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/po/de.po b/debian/po/de.po
 index ecba54b..2536ea4 100644
 --- a/debian/po/de.po
 +++ b/debian/po/de.po
@@ -8,7 +8,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh_1:6.6p1-1\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: 2014-03-24 22:21+0100\n"
  "Last-Translator: Stephan Beck <sbeck@mailbox.org>\n"
  "Language-Team: Debian German translation team <debian-l10n-german@lists."
@@ -59,3 +59,28 @@ msgstr ""
  "in der Absicht konfiguriert wurden, die Anmeldung als »root« über SSH unter "
  "Verwendung von Passwort-Authentifizierung zuzulassen. Sie sollten diese "
  "Änderung nur vornehmen, wenn Sie auf Letzteres verzichten können."
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/po/es.po b/debian/po/es.po
 index de8a67a..14550d6 100644
 --- a/debian/po/es.po
 +++ b/debian/po/es.po
@@ -28,7 +28,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: 2014-03-23 20:43-0300\n"
  "Last-Translator: Matías Bellone <matiasbellone+debian@gmail.com>\n"
  "Language-Team: Debian l10n Spanish <debian-l10n-spanish@lists.debian.org>\n"
@@ -78,3 +78,28 @@ msgstr ""
  "configuración permite que el usuario root inicie sesión a través de SSH "
  "utilizando una contraseña. Sólo debería realizar este cambio si no necesita "
  "este comportamiento."
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/po/fr.po b/debian/po/fr.po
 index f7125e9..7d7093b 100644
 --- a/debian/po/fr.po
 +++ b/debian/po/fr.po
@@ -7,7 +7,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh_1:6.5p1-6\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: 2014-03-22 08:26+0100\n"
  "Last-Translator: Étienne Gilli <etienne.gilli@gmail.com>\n"
  "Language-Team: French <debian-l10n-french@lists.debian.org>\n"
@@ -57,3 +57,28 @@ msgstr ""
  "inutilisables les systèmes reposant sur la possibilité de se connecter au "
  "compte « root » par SSH avec authentification par mot de passe. Vous ne "
  "devriez appliquer cette modification que si ce n’est pas votre cas."
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/po/it.po b/debian/po/it.po
 index dd71060..5390795 100644
 --- a/debian/po/it.po
 +++ b/debian/po/it.po
@@ -6,7 +6,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: 2014-03-28 11:12+0200\n"
  "Last-Translator: Beatrice Torracca <beatricet@libero.it>\n"
  "Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n"
@@ -56,3 +56,28 @@ msgstr ""
  "impostati facendo affidamento sulla possibilità di autenticazione SSH come "
  "root usando la password. Si dovrebbe fare questo cambiamento solo se non si "
  "ha bisogno di tale comportamento."
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/po/ja.po b/debian/po/ja.po
 index db382f1..b48d281 100644
 --- a/debian/po/ja.po
 +++ b/debian/po/ja.po
@@ -7,7 +7,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: 2014-03-20 11:06+0900\n"
  "Last-Translator: victory <victory.deb@gmail.com>\n"
  "Language-Team: Japanese <debian-japanese@lists.debian.org>\n"
@@ -53,3 +53,28 @@ msgstr ""
  "ます。しかしパスワード認証により root で SSH 接続できることを前提として構成し"
  "たシステムでは問題が発生する可能性があります。そういった必要のない場合にのみ"
  "この変更を行うようにしてください。"
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/po/nl.po b/debian/po/nl.po
 index 3afd617..eca9662 100644
 --- a/debian/po/nl.po
 +++ b/debian/po/nl.po
@@ -7,7 +7,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: 2014-10-03 23:54+0200\n"
  "Last-Translator: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>\n"
  "Language-Team: Debian Dutch l10n Team <debian-l10n-dutch@lists.debian.org>\n"
@@ -58,3 +58,28 @@ msgstr ""
  "ingesteld werden vanuit de verwachting dat de systeembeheerder SSH kan "
  "gebruiken met authenticatie via wachtwoord. Enkel wanneer u dit laatste niet "
  "nodig heeft, zou u deze wijziging kunnen doorvoeren."
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/po/pt.po b/debian/po/pt.po
 index 2dab84c..8f51af9 100644
 --- a/debian/po/pt.po
 +++ b/debian/po/pt.po
@@ -7,7 +7,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh 1:6.6p1-1\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: 2014-03-21 21:13+0000\n"
  "Last-Translator: Américo Monteiro <a_monteiro@gmx.com>\n"
  "Language-Team: Portuguese <traduz@debianpt.org>\n"
@@ -57,3 +57,28 @@ msgstr ""
  "configurados com a expectativa de serem capazes de SSH como root usando "
  "autenticação por palavra-passe. Apenas deverá fazer esta alteração se não "
  "precisa de tal método de autenticação."
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po
 index 99b1182..98856bb 100644
 --- a/debian/po/pt_BR.po
 +++ b/debian/po/pt_BR.po
@@ -8,7 +8,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: 2014-11-23 23:49-0200\n"
  "Last-Translator: José de Figueiredo <deb.gnulinux@gmail.com>\n"
  "Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian."
@@ -55,3 +55,28 @@ msgstr ""
  "Entretanto, ela pode quebrar sistemas que foram configurados com a "
  "expectativa de acesso SSH com root usando autenticação por senha. Você deve "
  "fazer esta mudança somente se você não precisa fazer isso."
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/po/ru.po b/debian/po/ru.po
 index f2e1daf..3fa193c 100644
 --- a/debian/po/ru.po
 +++ b/debian/po/ru.po
@@ -6,7 +6,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh 1:6.6p1-1\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: 2014-03-22 10:04+0400\n"
  "Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
  "Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n"
@@ -14,8 +14,8 @@ msgstr ""
  "MIME-Version: 1.0\n"
  "Content-Type: text/plain; charset=UTF-8\n"
  "Content-Transfer-Encoding: 8bit\n"
--"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
--"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
++"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && "
++"n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
  "X-Generator: Lokalize 1.4\n"
  #. Type: boolean
@@ -55,3 +55,28 @@ msgstr ""
  "атак). Однако, это вредит системам, в которых специально настроен вход для "
  "root по SSH с парольной аутентификацией. Если это не ваш случай, то ответьте "
  "утвердительно."
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/po/sv.po b/debian/po/sv.po
 index 278b0cc..296e611 100644
 --- a/debian/po/sv.po
 +++ b/debian/po/sv.po
@@ -8,7 +8,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: 2014-03-21 21:36+0100\n"
  "Last-Translator: Andreas Rönnquist <gusnan@gusnan.se>\n"
  "Language-Team: Swedish\n"
@@ -56,3 +56,28 @@ msgstr ""
  "sådana angrepp). Dock så kan detta förstöra system som förväntas kunna "
  "använda SSH som root med hjälp av lösenordsautentisering. Du skall endast "
  "göra denna förändring om du inte har ett behov av att kunna göra detta."
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/po/templates.pot b/debian/po/templates.pot
 index 47c9e36..c9dc5ba 100644
 --- a/debian/po/templates.pot
 +++ b/debian/po/templates.pot
@@ -1,6 +1,6 @@
  # SOME DESCRIPTIVE TITLE.
  # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
--# This file is distributed under the same license as the PACKAGE package.
++# This file is distributed under the same license as the openssh package.
  # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+ #
  #, fuzzy
@@ -8,7 +8,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
  "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
  "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -44,3 +44,28 @@ msgid ""
  "able to SSH as root using password authentication. You should only make this "
  "change if you do not need to do that."
  msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/po/tr.po b/debian/po/tr.po
 index 1ada041..fd6bde5 100644
 --- a/debian/po/tr.po
 +++ b/debian/po/tr.po
@@ -7,15 +7,15 @@ msgid ""
  msgstr ""
  "Project-Id-Version: openssh-server\n"
  "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
--"POT-Creation-Date: 2014-03-20 02:06+0000\n"
++"POT-Creation-Date: 2022-09-23 19:34+0000\n"
  "PO-Revision-Date: 2014-08-01 14:44+0200\n"
  "Last-Translator: Mert Dirik <mertdirik@gmail.com>\n"
  "Language-Team: Debian L10n Turkish <debian-l10n-turkish@lists.debian.org>\n"
++"Language: tr\n"
  "MIME-Version: 1.0\n"
  "Content-Type: text/plain; charset=UTF-8\n"
  "Content-Transfer-Encoding: 8bit\n"
  "X-Generator: Poedit 1.5.4\n"
--"Language: tr\n"
  #. Type: boolean
  #. Description
@@ -56,3 +56,28 @@ msgstr ""
  "parola doğrulama yöntemiyle oturum açılabileceği varsayımıyla hareket eden "
  "sistemlerde eskiden çalışan düzenin bozulmasına sebep olacaktır. Bu "
  "değişikliği yalnızca sorun çıkarmayacağından eminseniz yapın."
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid "Not migrating to socket activation"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"This version of openssh-server uses socket-based activation by default. "
++"However, because you have more than one ListenAddress configured in "
++"sshd_config, it is impossible to determine at upgrade time if migrating you "
++"to socket-based activation would cause the starting of sshd at boot to be "
++"unreliable."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../openssh-server.templates:3001
++msgid ""
++"Because a failure to start ssh may make it impossible to admininister a "
++"system, you will not be migrated to socket-based activation at this time."
++msgstr ""
 diff --git a/debian/rules b/debian/rules
 index c921ece..dff4713 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -189,8 +189,8 @@ override_dh_installinit:
  	dh_installinit -R --name ssh
  override_dh_installsystemd:
--	dh_installsystemd -popenssh-server ssh.service
--	dh_installsystemd -popenssh-server --no-enable ssh.socket
++	dh_installsystemd -popenssh-server --no-start ssh.socket
++	dh_installsystemd -popenssh-server --no-enable --no-start ssh.service
  	dh_installsystemd -popenssh-server --no-start rescue-ssh.target
  debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in
 diff --git a/debian/systemd/ssh.service b/debian/systemd/ssh.service
 index 7495d9a..a18105b 100644
 --- a/debian/systemd/ssh.service
 +++ b/debian/systemd/ssh.service
@@ -14,8 +14,6 @@ KillMode=process
  Restart=on-failure
  RestartPreventExitStatus=255
  Type=notify
--RuntimeDirectory=sshd
--RuntimeDirectoryMode=0755
  [Install]
  WantedBy=multi-user.target
 diff --git a/debian/tests/control b/debian/tests/control
 index 22d443d..adef04c 100644
 --- a/debian/tests/control
 +++ b/debian/tests/control
@@ -9,3 +9,9 @@ Depends: devscripts,
           python3-twisted,
           sudo,
           sysvinit-utils,
++
++Tests: systemd-socket-activation
++Restrictions: needs-root allow-stderr
++Depends: openssh-client,
++         openssh-server,
++         systemd,
 diff --git a/debian/tests/systemd-socket-activation b/debian/tests/systemd-socket-activation
 new file mode 100644
 index 0000000..42d4526
 --- /dev/null
 +++ b/debian/tests/systemd-socket-activation
@@ -0,0 +1,57 @@
++#!/bin/bash
++
++set -euo pipefail
++
++assert_unit_property() {
++    local property="$(echo "$2" | awk -F'=' '{print $1}')"
++
++    local expect="$2"
++    local actual="$(systemctl show -p "$property" "$1")"
++
++    if [[ "$actual" != "$expect" ]]; then
++        echo "Fail: $1: expected $expect, but got $actual"
++        return 1
++    fi
++}
++
++# Generate RSA key and add it to this user's authorized keys.
++ssh-keygen -t rsa -N "" -f "$HOME/.ssh/id_rsa" -q
++if [[ -f ~/.ssh/authorized_keys ]]; then
++    touch ~/.ssh/authorized_keys
++    chmod 0600 ~/.ssh/authorized_keys
++fi
++cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
++
++# Make sure ssh.service is not running.
++echo "Stopping ssh.service..."
++systemctl stop ssh.service 2>/dev/null
++
++# Check that ssh.socket is active and listening.
++echo "Checking that ssh.socket is active and listening..."
++assert_unit_property ssh.socket "ActiveState=active"
++assert_unit_property ssh.socket "SubState=listening"
++
++# Check that ssh.service is currently inactive/dead.
++echo "Checking that ssh.service is inactive/dead..."
++assert_unit_property ssh.service "ActiveState=inactive"
++assert_unit_property ssh.service "SubState=dead"
++
++# Check that a connection attempt successfully activates ssh.service.
++echo "Checking that a connection attempt activates ssh.service..."
++ssh -oStrictHostKeyChecking=no localhost -- /usr/bin/true
++assert_unit_property ssh.service "ActiveState=active"
++assert_unit_property ssh.service "SubState=running"
++
++# Check that we can re-execute sshd via systemctl reload.
++echo "Checking that sshd can be re-executed..."
++systemctl reload ssh.service
++assert_unit_property ssh.service "ActiveState=active"
++assert_unit_property ssh.service "SubState=running"
++
++# Check that we can run sshd in debug mode.
++echo "Checking sshd can run in debug mode..."
++systemctl stop ssh.service 2>/dev/null
++sed -i 's/^SSHD_OPTS=.*/SSHD_OPTS=-ddd/g' /etc/default/ssh
++ssh -oStrictHostKeyChecking=no localhost -- /usr/bin/true
++
++echo "Done."

Ubuntuopenssh package

Merge ~mirespace/ubuntu/+source/openssh:merge-lp2040406-noble into ubuntu/+source/openssh:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
openssh package