diff -pruN 1:9.9p1-3/debian/.gitignore 1:9.9p1-3ubuntu3.1/debian/.gitignore --- 1:9.9p1-3/debian/.gitignore 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/.gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,17 +0,0 @@ -/*.debhelper* -/*substvars -/build-deb -/build-udeb -/files -/keygen-test/key1 -/keygen-test/key1.pub -/keygen-test/key2 -/keygen-test/key2.pub -/openssh-client -/openssh-client-udeb -/openssh-server -/openssh-server-udeb -/ssh -/ssh-askpass-gnome -/ssh-krb5 -/tmp diff -pruN 1:9.9p1-3/debian/README.Debian 1:9.9p1-3ubuntu3.1/debian/README.Debian --- 1:9.9p1-3/debian/README.Debian 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/README.Debian 2024-10-30 15:46:25.000000000 +0000 @@ -184,39 +184,30 @@ this sshd manually on upgrades. Socket-based activation with systemd ------------------------------------ -If you want to reconfigure systemd to listen on port 22 itself and launch -sshd on connection (systemd-style socket activation), then you can run: +By default, socket-based activation is used on systems that use systemd. - systemctl disable --now ssh.service - systemctl start ssh.socket +The provided ssh.socket unit file sets ListenStream=22. A systemd generator, +sshd-socket-generator, parses the sshd configuration and, if non-default +ListenAddress(s) or Port(s) are configured, generates corresponding +ListenStream= lines in a drop-in configration file for ssh.socket. To change +the port or address ssh.socket is listening on, edit /etc/ssh/sshd_config (or +add a drop-in file to /etc/ssh/sshd_config.d/) as usual and then run: -To roll back this change, run: - - systemctl stop ssh.socket - systemctl enable --now ssh.service - -Or if you want to make this change permanent: - - systemctl enable ssh.socket - -This may be appropriate in environments where minimal footprint is critical -(e.g. cloud guests). - -The provided ssh.socket unit file sets ListenStream=22. If you need to have -it listen on a different address or port, then you will need to do this as -follows (modifying ListenStream to match your requirements): - - mkdir -p /etc/systemd/system/ssh.socket.d - cat >/etc/systemd/system/ssh.socket.d/listen.conf < Fri, 11 Apr 2025 07:33:19 -0400 + +openssh (1:9.9p1-3ubuntu3) plucky; urgency=medium + + * SECURITY UPDATE: MitM with VerifyHostKeyDNS option + - debian/patches/CVE-2025-26465.patch: fix error code handling in + krl.c, ssh-agent.c, ssh-sk-client.c, sshconnect2.c, sshsig.c. + - CVE-2025-26465 + * SECURITY UPDATE: pre-authentication denial of service + - debian/patches/CVE-2025-26466.patch: don't reply to PING in preauth + or in KEX in packet.c. + - CVE-2025-26466 + + -- Marc Deslauriers Tue, 18 Feb 2025 08:50:06 -0500 + +openssh (1:9.9p1-3ubuntu2) plucky; urgency=medium + + * document /etc/ssh/sshd_config.d/*.conf better in sshd_config + (LP: #2088207) + - d/p/debian-config.patch: expand comment about configuration options + and precedence of configuration snippets + - d/openssh-server.ucf-md5sum: update for new sshd_config comments + - d/p/sshd-socket-generator.patch: refresh for sshd_config comment + * d/t/systemd-socket-activation: add wait while unit is reloading + This avoids a race condition where we sometimes fail the assertion + that ActiveState=active after systemctl reload. + (LP: #2089049) + + -- Nick Rosbrook Tue, 19 Nov 2024 12:06:14 -0500 + +openssh (1:9.9p1-3ubuntu1) plucky; urgency=medium + + * Merge with Debian unstable (LP: #2085261). Remaining changes: + - Make systemd socket activation the default: + + debian/rules: modify dh_installsystemd invocations for + socket-activated sshd + + debian/README.Debian: document systemd socket activation. + + debian/patches/systemd-socket-activation.patch: Fix sshd + re-execution behavior when socket activation is used + + debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket + activation functionality. + + debian/control: Build-Depends: systemd-dev + + d/p/sshd-socket-generator.patch: add generator for socket activation + + debian/openssh-server.install: install sshd-socket-generator + + debian/openssh-server.postinst: handle migration to sshd-socket-generator + + d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator + + ssh.socket: adjust unit for socket activation by default + + debian/rules: explicitly enable LTO + - debian/.gitignore: drop file + - debian/openssh-server.ucf-md5sum: update for Ubuntu delta + - debian/patches: Immediately report interactive instructions to PAM clients + - debian/patches: sshconnect2: Write kbd-interactive messages as utf-8 + - d/t/ssh-gssapi: disable -e in cleanup() + * Dropped changes, included in Debian: + - SECURITY UPDATE: timing attack against echo-off password entry + + debian/patches/CVE-2024-39894.patch: don't rely on + channel_did_enqueue in clientloop.c + + CVE-2024-39894 + * New changes: + - d/p/systemd-socket-activation.patch: refresh and adapt for sshd-session + - d/openssh-server.links: add full sshd.service -> ssh.service alias + (LP: #2087949) + + -- Nick Rosbrook Tue, 12 Nov 2024 16:28:26 -0500 + openssh (1:9.9p1-3) unstable; urgency=medium * Fix mlkem768x25519-sha256 key exchange algorithm on big-endian @@ -207,6 +278,91 @@ openssh (1:9.8p1-1) unstable; urgency=me -- Colin Watson Wed, 31 Jul 2024 17:16:04 +0100 +openssh (1:9.7p1-7ubuntu5) plucky; urgency=medium + + * d/t/sshd-socket-generator: run test_match_on_port test + + -- Nick Rosbrook Wed, 30 Oct 2024 08:48:50 -0400 + +openssh (1:9.7p1-7ubuntu4) oracular; urgency=medium + + * Explicitly listen on IPv4 by default, with socket-activated sshd + (LP: #2080216) + - d/systemd/ssh.socket: explicitly listen on ipv4 by default + - d/t/sshd-socket-generator: update for new defaults and AddressFamily + - sshd-socket-generator: handle new ssh.socket default settings + * d/p/systemd-socket-activation.patch: always close newsock fd before re-exec + + -- Nick Rosbrook Tue, 01 Oct 2024 14:45:28 -0400 + +openssh (1:9.7p1-7ubuntu3) oracular; urgency=medium + + * sshd-socket-generator: do not parse server match config (LP: #2076023) + + -- Nick Rosbrook Tue, 27 Aug 2024 15:54:41 -0400 + +openssh (1:9.7p1-7ubuntu2) oracular; urgency=medium + + * d/p/test-set-UsePAM-no-on-some-tests.patch: restore patch + This was mistakenly dropped in the merge from Debian after + testing locally only. + + -- Nick Rosbrook Wed, 31 Jul 2024 10:20:23 -0400 + +openssh (1:9.7p1-7ubuntu1) oracular; urgency=medium + + * Merge with Debian unstable (LP: #2064435). Remaining changes: + - Make systemd socket activation the default: + + debian/rules: modify dh_installsystemd invocations for + socket-activated sshd + + debian/README.Debian: document systemd socket activation. + + debian/patches/systemd-socket-activation.patch: Fix sshd + re-execution behavior when socket activation is used + + debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket + activation functionality. + + debian/control: Build-Depends: systemd-dev + + d/p/sshd-socket-generator.patch: add generator for socket activation + + debian/openssh-server.install: install sshd-socket-generator + + debian/openssh-server.postinst: handle migration to sshd-socket-generator + + d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator + + ssh.socket: adjust unit for socket activation by default + + debian/rules: explicitly enable LTO + - debian/.gitignore: drop file + - debian/openssh-server.ucf-md5sum: update for Ubuntu delta + - debian/patches: Immediately report interactive instructions to PAM clients + - debian/patches: sshconnect2: Write kbd-interactive messages as utf-8 + - d/t/ssh-gssapi: disable -e in cleanup() + - SECURITY UPDATE: timing attack against echo-off password entry + + debian/patches/CVE-2024-39894.patch: don't rely on + channel_did_enqueue in clientloop.c + + CVE-2024-39894 + * Dropped changes, included in Debian: + - debian/patches: only set PAM_RHOST if remote host is not "UNKNOWN" + - Remove deprecated user_readenv=1 setting (LP #2059859): + + d/openssh-server.sshd.pam.in: drop user_readenv=1, which was + deprecated by pam_env upstream. Openssh has the SendEnv and AcceptEnv + configuration options that can be used to replace this feature, and + are in the default config already + + d/NEWS: update about this change in behavior + - debian: Remove dependency on libsystemd + - d/p/gssapi.patch: fix method_gsskeyex structure and + userauth_gsskeyex function regarding changes introduced in upstream + commit dbb339f015c33d63484261d140c84ad875a9e548 ("prepare for + multiple names for authmethods") (LP #2053146) + - d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic + and gssapi-keyex authentication methods + - SECURITY UPDATE: remote code execution via signal handler race + condition (LP #2070497) + + debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c. + + CVE-2024-6387 + * Dropped changes, no longer needed: + - debian/openssh-server.postinst: ucf workaround for LP #1968873 + [affected upgrade path not supported] + - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no + for some tests. + + -- Nick Rosbrook Mon, 29 Jul 2024 15:19:02 -0400 + openssh (1:9.7p1-7) unstable; urgency=critical [ Salvatore Bonaccorso ] @@ -329,6 +485,223 @@ openssh (1:9.6p1-4) unstable; urgency=me -- Colin Watson Mon, 26 Feb 2024 12:26:57 +0000 +openssh (1:9.6p1-3ubuntu18) oracular; urgency=medium + + * d/p/systemd-socket-activation.patch: don't clear rexec_flag + It was pointed out that this is generally not a good idea, so undo this + change. In order to do this, we need to restore the logic to ensure + that when we have been re-executed, we ignore $LISTEN_PID because it + won't match, but we still need to know $LISTEN_FDS. And, do not set + FD_CLOEXEC on the fds passed from systemd, because we want them to + survive the re-execution. (LP: #2071815) + * d/p/systemd-socket-activation.patch: refresh patch + + -- Nick Rosbrook Fri, 26 Jul 2024 11:54:36 -0400 + +openssh (1:9.6p1-3ubuntu17) oracular; urgency=medium + + * Remove deprecated user_readenv=1 setting (LP: #2059859): + - d/openssh-server.sshd.pam.in: drop user_readenv=1, which was + deprecated by pam_env upstream. Openssh has the SendEnv and + AcceptEnv configuration options that can be used to replace this + feature, and are in the default config already + - d/NEWS: update about this change in behavior + + -- Andreas Hasenack Wed, 10 Jul 2024 11:41:37 -0300 + +openssh (1:9.6p1-3ubuntu16) oracular; urgency=medium + + * SECURITY UPDATE: timing attack against echo-off password entry + - debian/patches/CVE-2024-39894.patch: don't rely on + channel_did_enqueue in clientloop.c + - CVE-2024-39894 + + -- Marc Deslauriers Tue, 09 Jul 2024 07:28:38 -0400 + +openssh (1:9.6p1-3ubuntu15) oracular; urgency=medium + + * SECURITY UPDATE: remote code execution via signal handler race + condition (LP: #2070497) + - debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c. + - CVE-2024-6387 + + -- Marc Deslauriers Wed, 26 Jun 2024 14:29:50 -0400 + +openssh (1:9.6p1-3ubuntu14) oracular; urgency=medium + + * d/p/sshd-socket-generator.patch: add note to sshd_config + Explain that a systemctl daemon-reload is needed for changes + to Port et al to take effect. (LP: #2069041) + * debian/openssh-server.ucf-md5sum: add new checksums for sshd_config + + -- Nick Rosbrook Tue, 18 Jun 2024 13:31:47 -0400 + +openssh (1:9.6p1-3ubuntu13) noble; urgency=medium + + [ Marco Trevisan (Treviño) ] + * debian: Remove dependency on libsystemd + As per the xz backdoor we learned that the least dependencies sshd have, + the best it is, so avoid to plug libsystemd (which also brings various + other dependencies) inside sshd for no reason: + + - d/p/systemd-readiness.patch: Use upstream patch with no libsystemd + dependency + - d/p/systemd-socket-activation.patch: Import patch from debian that + mimics the libsystemd sd_listen_fds() code, as refactored by Colin + Watson. + - d/control: Remove dependencies on libsystemd-dev | libelogind-dev + - d/rules: Drop --with-systemd flag (new options are used by default) + + [ Nick Rosbrook ] + * debian/patches: only set PAM_RHOST if remote host is not "UNKNOWN" + (LP: #2060150) + * debian/openssh-server.postinst: don't re-enable ssh.socket if it was disabled + (LP: #2059874) + * d/p/sshd-socket-generator.patch: do not always ignore ListenStream=22 + (LP: #2059872) + + -- Nick Rosbrook Fri, 05 Apr 2024 15:30:31 -0400 + +openssh (1:9.6p1-3ubuntu12) noble; urgency=medium + + * No-change rebuild for CVE-2024-3094 + + -- Steve Langasek Sun, 31 Mar 2024 09:23:28 +0000 + +openssh (1:9.6p1-3ubuntu11) noble; urgency=medium + + * d/t/ssh-gssapi: make the test a bit more rebust (LP: #2058276): + - deal with return codes + - match a more specific success expression from the logs + - add klist output in the case of failure + + -- Andreas Hasenack Mon, 18 Mar 2024 10:25:15 -0300 + +openssh (1:9.6p1-3ubuntu10) noble; urgency=medium + + * Build again with gnome. + + -- Matthias Klose Sat, 16 Mar 2024 19:30:41 +0100 + +openssh (1:9.6p1-3ubuntu9) noble; urgency=medium + + * d/p/gssapi.patch: fix method_gsskeyex structure and + userauth_gsskeyex function regarding changes introduced in upstream + commit dbb339f015c33d63484261d140c84ad875a9e548 ("prepare for + multiple names for authmethods") (LP: #2053146) + * d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic + and gssapi-keyex authentication methods + + -- Andreas Hasenack Fri, 15 Mar 2024 16:18:01 -0300 + +openssh (1:9.6p1-3ubuntu8) noble; urgency=medium + + * No-change rebuild against libcom-err2 + + -- Steve Langasek Tue, 12 Mar 2024 20:34:07 +0000 + +openssh (1:9.6p1-3ubuntu7) noble; urgency=medium + + * No-change rebuild against libglib2.0-0t64 + + -- Steve Langasek Mon, 11 Mar 2024 23:25:42 +0000 + +openssh (1:9.6p1-3ubuntu6) noble; urgency=medium + + * No-change rebuild against libglib2.0-0t64 + + -- Steve Langasek Fri, 08 Mar 2024 06:32:05 +0000 + +openssh (1:9.6p1-3ubuntu5) noble; urgency=medium + + * debian/systemd/ssh.service: restore RuntimeDirectory=sshd (LP: #2055806) + We started using a tmpfile in Ubuntu when we invoked sshd -G in + openssh-server.postinst as a part of migration to systemd socket activation. + Since we use a generator now, instead of invoking sshd -G, we no longer need + this change. + + -- Nick Rosbrook Thu, 07 Mar 2024 13:59:57 -0500 + +openssh (1:9.6p1-3ubuntu5~ppa2) noble; urgency=medium + + * Build without gnome. + + -- Matthias Klose Tue, 05 Mar 2024 15:53:05 +0100 + +openssh (1:9.6p1-3ubuntu4) noble; urgency=medium + + * No-change rebuild against libssl3t64 + + -- Steve Langasek Mon, 04 Mar 2024 20:31:25 +0000 + +openssh (1:9.6p1-3ubuntu3) noble; urgency=medium + + * Add sshd-socket-generator to generate ssh.socket drop-in configuration + instead of doing one-time generation on package upgrade: + - debian/control: Build-Depends: systemd-dev + - d/p/sshd-socket-generator.patch: add generator for socket activation + - debian/openssh-server.install: install sshd-socket-generator + - debian/openssh-server.postinst: handle migration to sshd-socket-generator + - d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator + - ssh.socket: adjust unit for socket activation by default + - debian/README.Debian: update ssh.socket documentation + - debian/rules: explicitly enable LTO + The armhf build was not using LTO, which made sshd-socket-generator FTBFS. + This change ensures that all arches are using LTO. + * Drop the following changes related to previous ssh socket activation approach: + - debian/openssh-server.postrm: remove systemd drop-ins for + socket-activated sshd on purge + - debian/openssh-server.templates: include debconf prompt explaining + when migration cannot happen due to multiple ListenAddress values + - debian/openssh-server.postinst: handle migration of sshd_config options + to systemd socket options on upgrade. + - debian/patches/socket-activation-documentation.patch: Document in + sshd_config(5) that ListenAddress and Port no longer work. + * debian/openssh-server.ucf-md5sum: update for new Ubuntu delta + + -- Nick Rosbrook Wed, 21 Feb 2024 12:51:30 -0500 + +openssh (1:9.6p1-3ubuntu2) noble; urgency=medium + + [ Marco Trevisan (Treviño) ] + * debian/patches: Immediately report interactive instructions to PAM clients + * debian/patches: sshconnect2: Write kbd-interactive messages as utf-8 + + -- Julian Andres Klode Thu, 15 Feb 2024 11:13:03 +0100 + +openssh (1:9.6p1-3ubuntu1) noble; urgency=medium + + * Merge with Debian unstable (LP: #2040406). Remaining changes: + - debian/rules: modify dh_installsystemd invocations for + socket-activated sshd. + - debian/openssh-server.postinst: handle migration of sshd_config + options to systemd socket options on upgrade. + - debian/README.Debian: document systemd socket activation. + - debian/patches/socket-activation-documentation.patch: Document + in sshd_config(5) that ListenAddress and Port no longer work. + - debian/openssh-server.templates: include debconf prompt + explaining when migration cannot happen due to multiple + ListenAddress values. + - debian/.gitignore: drop file. + - debian/openssh-server.postrm: remove systemd drop-ins for + socket-activated sshd on purge. + - debian/openssh-server.ucf-md5sum: update for Ubuntu delta + - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move + /run/sshd creation out of the systemd unit to a tmpfile config + so that sshd can be run manually if necessary without having to + create this directory by hand. + - debian/patches/systemd-socket-activation.patch: Fix sshd + re-execution behavior when socket activation is used. + - debian/tests/systemd-socket-activation: Add autopkgtest + for systemd socket activation functionality. + - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no + for some tests. + * Dropped changes, fixed upstream: + - d/p/fix-ftbfs-with-zlib13.patch: fix ftbfs when using zlib 1.3 + (LP #2049552) + + -- Miriam España Acebal Mon, 29 Jan 2024 11:16:31 +0100 + openssh (1:9.6p1-3) unstable; urgency=medium * Allow passing extra ssh-agent arguments via @@ -479,6 +852,59 @@ openssh (1:9.5p1-1) experimental; urgenc -- Colin Watson Thu, 23 Nov 2023 17:38:07 +0000 +openssh (1:9.4p1-1ubuntu2) noble; urgency=medium + + * d/p/fix-ftbfs-with-zlib13.patch: fix ftbfs when using + zlib 1.3 (LP: #2049552). + + -- Miriam España Acebal Wed, 17 Jan 2024 20:00:55 +0100 + +openssh (1:9.4p1-1ubuntu1) noble; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - debian/rules: modify dh_installsystemd invocations for + socket-activated sshd + - debian/openssh-server.postinst: handle migration of sshd_config options + to systemd socket options on upgrade. + - debian/README.Debian: document systemd socket activation. + - debian/patches/socket-activation-documentation.patch: Document in + sshd_config(5) that ListenAddress and Port no longer work. + - debian/openssh-server.templates: include debconf prompt explaining + when migration cannot happen due to multiple ListenAddress values + - debian/.gitignore: drop file + - debian/openssh-server.postrm: remove systemd drop-ins for + socket-activated sshd on purge + - debian/openssh-server.ucf-md5sum: update for Ubuntu delta + - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move + /run/sshd creation out of the systemd unit to a tmpfile config so + that sshd can be run manually if necessary without having to create + this directory by hand. + - debian/patches/systemd-socket-activation.patch: Fix sshd + re-execution behavior when socket activation is used + - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket + activation functionality. + - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests + * Dropped changes, fixed upstream: + - d/p/fix-authorized-principals-command.patch: Fix the situation where + sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand + is also set by checking if the value pointed to by the pointer + 'charptr' is NULL. + - debian/patches/CVE-2023-38408-1.patch: terminate process if requested + to load a PKCS#11 provider that isn't a PKCS#11 provider in + ssh-pkcs11.c. + - debian/patches/CVE-2023-38408-2.patch: disallow remote addition of + FIDO/PKCS11 provider in ssh-agent.1, ssh-agent.c. + - debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries + contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c. + * Dropped changes, affected package versions not published in supported + releases: + - debian/openssh-server.postint: do not try to restart systemd units, + and instead indicate that a reboot is required + - debian/tests/systemd-socket-activation: Reboot the testbed before starting the test + - debian/rules: Do not stop ssh.socket on upgrade + + -- Nick Rosbrook Mon, 13 Nov 2023 12:47:29 -0500 + openssh (1:9.4p1-1) unstable; urgency=medium * New upstream release (https://www.openssh.com/releasenotes.html#9.4p1): @@ -567,6 +993,62 @@ openssh (1:9.3p2-1) unstable; urgency=hi -- Colin Watson Wed, 19 Jul 2023 22:49:14 +0100 +openssh (1:9.3p1-1ubuntu3) mantic; urgency=medium + + * d/p/fix-authorized-principals-command.patch: Fix the situation where + sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand + is also set by checking if the value pointed to by the pointer + 'charptr' is NULL. (LP: #2031942) + + -- Michal Maloszewski Thu, 24 Aug 2023 15:20:27 +0200 + +openssh (1:9.3p1-1ubuntu2) mantic; urgency=medium + + * SECURITY UPDATE: remote code execution relating to PKCS#11 providers + - debian/patches/CVE-2023-38408-1.patch: terminate process if requested + to load a PKCS#11 provider that isn't a PKCS#11 provider in + ssh-pkcs11.c. + - debian/patches/CVE-2023-38408-2.patch: disallow remote addition of + FIDO/PKCS11 provider in ssh-agent.1, ssh-agent.c. + - debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries + contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c. + - CVE-2023-38408 + + -- Marc Deslauriers Mon, 24 Jul 2023 15:01:06 -0400 + +openssh (1:9.3p1-1ubuntu1) mantic; urgency=medium + + * Merge with Debian unstable (LP: #2025664). Remaining changes: + - debian/rules: modify dh_installsystemd invocations for + socket-activated sshd + - debian/openssh-server.postinst: handle migration of sshd_config options + to systemd socket options on upgrade. + - debian/README.Debian: document systemd socket activation. + - debian/patches/socket-activation-documentation.patch: Document in + sshd_config(5) that ListenAddress and Port no longer work. + - debian/openssh-server.templates: include debconf prompt explaining + when migration cannot happen due to multiple ListenAddress values + - debian/.gitignore: drop file + - debian/openssh-server.postrm: remove systemd drop-ins for + socket-activated sshd on purge + - debian/openssh-server.ucf-md5sum: update for Ubuntu delta + - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move + /run/sshd creation out of the systemd unit to a tmpfile config so + that sshd can be run manually if necessary without having to create + this directory by hand. + - debian/patches/systemd-socket-activation.patch: Fix sshd + re-execution behavior when socket activation is used + - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket + activation functionality. + - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests + - Ensure smooth upgrade path from versions affected by LP: #2020474: + + debian/openssh-server.postint: do not try to restart systemd units, + and instead indicate that a reboot is required + + debian/tests/systemd-socket-activation: Reboot the testbed before starting the test + + debian/rules: Do not stop ssh.socket on upgrade + + -- Nick Rosbrook Mon, 03 Jul 2023 11:34:47 -0400 + openssh (1:9.3p1-1) unstable; urgency=medium * Debconf translations: @@ -624,6 +1106,64 @@ openssh (1:9.3p1-1) unstable; urgency=me -- Colin Watson Tue, 20 Jun 2023 01:01:48 +0100 +openssh (1:9.2p1-2ubuntu3) mantic; urgency=medium + + * Fix upgrade of openssh-server with active ssh session (LP: #2020474) + - debian/patches/systemd-socket-activation.patch: + + Do force closing of listen sockets in child process + + Set rexec_flag = 0 when sshd is socket-activated so that child process + does not re-exec + - debian/openssh-server.postint: + + When upgrading from affected versions of openssh, do not try to + restart systemd units, and instead indicate that a reboot is required + - debian/tests/systemd-socket-activation: + + Reboot the testbed before starting the test + - debian/rules: + + Do not stop ssh.socket on upgrade + * d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests + + -- Nick Rosbrook Wed, 24 May 2023 18:02:11 -0400 + +openssh (1:9.2p1-2ubuntu2) mantic; urgency=medium + + * debian/README.Debian: Fix path of addresses.conf drop-in + + -- Nick Rosbrook Tue, 23 May 2023 10:50:35 -0400 + +openssh (1:9.2p1-2ubuntu1) mantic; urgency=medium + + * Merge with Debian unstable (LP: #2018094). Remaining changes: + - debian/rules: modify dh_installsystemd invocations for + socket-activated sshd + - debian/openssh-server.postinst: handle migration of sshd_config options + to systemd socket options on upgrade. + - debian/README.Debian: document systemd socket activation. + - debian/patches/socket-activation-documentation.patch: Document in + sshd_config(5) that ListenAddress and Port no longer work. + - debian/openssh-server.templates: include debconf prompt explaining + when migration cannot happen due to multiple ListenAddress values + - debian/.gitignore: drop file + - debian/openssh-server.postrm: remove systemd drop-ins for + socket-activated sshd on purge + - debian/openssh-server.ucf-md5sum: Update list of stock sshd_config + checksums to include those from jammy and kinetic. + - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move + /run/sshd creation out of the systemd unit to a tmpfile config so + that sshd can be run manually if necessary without having to create + this directory by hand. + - debian/patches/systemd-socket-activation.patch: Fix sshd + re-execution behavior when socket activation is used + - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket + activation functionality. + * Dropped changes, included in Debian: + - debian/patches/systemd-socket-activation.patch: Initial implementation + * New changes: + - debian/README.Debian: mention drop-in configurations in instructions + for disabling sshd socket activation (LP: #2017434). + - debian/openssh-server.ucf-md5sum: update for Ubuntu delta + + -- Nick Rosbrook Fri, 19 May 2023 15:18:17 -0400 + openssh (1:9.2p1-2) unstable; urgency=medium * Fix mistakenly-unreleased entry for 1:9.2p1-1 in debian/NEWS. @@ -875,6 +1415,105 @@ openssh (1:9.1p1-1) unstable; urgency=me -- Colin Watson Mon, 14 Nov 2022 16:25:45 +0000 +openssh (1:9.0p1-1ubuntu8.1) lunar; urgency=medium + + * debian/patches/systemd-socket-activation.patch: Fix re-execution behavior + (LP: #2011458): + - Remove FD_CLOEXEC on fds passed by systemd to prevent automatic closing + when sshd re-executes. + - Do not manually close fds passed by systemd when re-executing. + - Only call sd_listen_fds() once, and only in the parent process. + - Check the LISTEN_FDS environment variable to get the number of fds + passed by systemd when re-executing as a child process. + * debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket + activation functionality. + + -- Nick Rosbrook Fri, 31 Mar 2023 12:44:32 -0400 + +openssh (1:9.0p1-1ubuntu8) lunar; urgency=medium + + * debian/openssh-server.postinst: Fix handling of ListenAddress when a port + is specified (LP: #1993478): + - Strip port before converting hostnames to numerical addresses. + - Only append ports when the ListenAddress does not already specify a + port. + - Revert socket migration on upgrade if a previous version did the + migration when it should not have. + * debian/openssh-server.postinst: Ignore empty directory failure from rmdir + when skipping socket migration (LP: #1995294). + + -- Nick Rosbrook Tue, 25 Oct 2022 11:57:43 -0400 + +openssh (1:9.0p1-1ubuntu7) kinetic; urgency=medium + + * Update list of stock sshd_config checksums to include those from + jammy and kinetic. + * Add a workaround for LP: #1990863 (now fixed in livecd-rootfs) to + avoid spurious ucf prompts on upgrade. + * Move /run/sshd creation out of the systemd unit to a tmpfile config + so that sshd can be run manually if necessary without having to create + this directory by hand. LP: #1991283. + + [ Nick Rosbrook ] + * debian/openssh-server.postinst: Fix addresses.conf generation when only + non-default Port is used in /etc/ssh/sshd_config (LP: #1991199). + + -- Steve Langasek Mon, 26 Sep 2022 21:55:14 +0000 + +openssh (1:9.0p1-1ubuntu6) kinetic; urgency=medium + + * Fix syntax error in postinst :/ + + -- Steve Langasek Fri, 23 Sep 2022 19:51:32 +0000 + +openssh (1:9.0p1-1ubuntu5) kinetic; urgency=medium + + * Correctly handle the case of new installs, and correctly apply systemd + unit overrides on upgrade from existing kinetic systems. + + -- Steve Langasek Fri, 23 Sep 2022 19:45:18 +0000 + +openssh (1:9.0p1-1ubuntu4) kinetic; urgency=medium + + * Don't migrate users to socket activation if multiple ListenAddresses + might make sshd unreliable on boot. + * Fix regexp bug that prevented proper migration of IPv6 address settings. + + -- Steve Langasek Fri, 23 Sep 2022 19:35:37 +0000 + +openssh (1:9.0p1-1ubuntu3) kinetic; urgency=medium + + * Document in the default sshd_config file the changes in behavior + triggered by use of socket-based activation. + + -- Steve Langasek Fri, 26 Aug 2022 00:40:11 +0000 + +openssh (1:9.0p1-1ubuntu2) kinetic; urgency=medium + + * Fix manpage to not claim socket-based activation is the default on + Debian! + + -- Steve Langasek Fri, 26 Aug 2022 00:21:42 +0000 + +openssh (1:9.0p1-1ubuntu1) kinetic; urgency=medium + + * debian/patches/systemd-socket-activation.patch: support systemd + socket activation. + * debian/systemd/ssh.socket, debian/systemd/ssh.service: use socket + activation by default. + * debian/rules: rejigger dh_installsystemd invocations so ssh.service and + ssh.socket don't fight. + * debian/openssh-server.postinst: handle migration of sshd_config options + to systemd socket options on upgrade. + * debian/README.Debian: document systemd socket activation. + * debian/patches/socket-activation-documentation.patch: Document in + sshd_config(5) that ListenAddress and Port no longer work. + * debian/openssh-server.templates, debian/openssh-server.postinst: include + debconf warning about possible service failure with multiple + ListenAddress settings. + + -- Steve Langasek Fri, 19 Aug 2022 20:43:16 +0000 + openssh (1:9.0p1-1) unstable; urgency=medium * New upstream release (https://www.openssh.com/releasenotes.html#9.0p1): diff -pruN 1:9.9p1-3/debian/control 1:9.9p1-3ubuntu3.1/debian/control --- 1:9.9p1-3/debian/control 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/control 2024-11-13 21:55:08.000000000 +0000 @@ -1,7 +1,8 @@ Source: openssh Section: net Priority: standard -Maintainer: Debian OpenSSH Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian OpenSSH Maintainers Build-Depends: debhelper (>= 13.1~), debhelper-compat (= 13), @@ -19,6 +20,7 @@ Build-Depends: libwrap0-dev | libwrap-dev, pkgconf, zlib1g-dev, + systemd-dev, Standards-Version: 4.6.2 Uploaders: Colin Watson , diff -pruN 1:9.9p1-3/debian/openssh-server.install 1:9.9p1-3ubuntu3.1/debian/openssh-server.install --- 1:9.9p1-3/debian/openssh-server.install 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/openssh-server.install 2024-11-13 21:55:08.000000000 +0000 @@ -21,3 +21,5 @@ debian/systemd/ssh-session-cleanup usr/l # dh_apport would be neater, but at the time of writing it isn't in unstable # yet. debian/openssh-server.apport => usr/share/apport/package-hooks/openssh-server.py + +usr/lib/systemd/system-generators/sshd-socket-generator diff -pruN 1:9.9p1-3/debian/openssh-server.links 1:9.9p1-3ubuntu3.1/debian/openssh-server.links --- 1:9.9p1-3/debian/openssh-server.links 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/openssh-server.links 2024-11-13 21:55:08.000000000 +0000 @@ -0,0 +1,2 @@ +# Full alias of sshd.service -> ssh.service +usr/lib/systemd/system/ssh.service usr/lib/systemd/system/sshd.service diff -pruN 1:9.9p1-3/debian/openssh-server.postinst 1:9.9p1-3ubuntu3.1/debian/openssh-server.postinst --- 1:9.9p1-3/debian/openssh-server.postinst 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/openssh-server.postinst 2024-11-13 21:55:08.000000000 +0000 @@ -120,6 +120,17 @@ fi #DEBHELPER# +if [ -d /run/systemd/system ]; then + # sshd-socket-generator is invoked on daemon-reload. + systemctl daemon-reload + + if deb-systemd-helper --quiet was-enabled ssh.socket; then + deb-systemd-invoke restart ssh.socket + elif deb-systemd-helper --quiet was-enabled ssh.service; then + deb-systemd-invoke restart ssh.service + fi +fi + db_stop exit 0 diff -pruN 1:9.9p1-3/debian/openssh-server.ucf-md5sum 1:9.9p1-3ubuntu3.1/debian/openssh-server.ucf-md5sum --- 1:9.9p1-3/debian/openssh-server.ucf-md5sum 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/openssh-server.ucf-md5sum 2024-11-19 16:39:52.000000000 +0000 @@ -103,14 +103,50 @@ cc873ab3ccc9cf3a3830c3c0728c0d0b 9f1bec115595c0f76282d80abe5d9bcc ae1a449c8adb31cb603e28fda5342696 +# From 1:8.4p1-5 +6dbdc3a27e1953d209f929df7aff0c57 +0ef8c8fe6a3afd12382dbb93cd7bbb4e +ae1a449c8adb31cb603e28fda5342696 +9f1bec115595c0f76282d80abe5d9bcc + # From 1:8.7p1-1: fe83fd23553510bb632dc8e6e35ab41a d96ecd9064ea650c44372a5a33d3e497 7fdb195ac56e0bf1992e18ac656811af 4e03b4df60cd00c651777ec14ff76aef +# From 1:8.9p1-3 +30e0fe758429c57d35a5e71dbd8dd2f8 +23a8a2b1a8f1538be49eb86313367191 +133f5f0119fbf5716b7d72048b25ea71 +697a81708f11897cb0fef857563dee55 + +# From 1:9.0p1-1ubuntu3 +90ace5da6c7eb3041732930972662f34 +b2c07b86695152141e84f44e4414104a +e7b9120b6e68c5666ac21a0cc03d4806 +9389be84e67cd5a91b97de5ff03c9306 + # From 1:9.2p1-1: b8e751f62cf86a18bc30cdaae494b03f b89c8626d43128cdb233536439e00566 5f589fb3658df8cb7cce8505cf821e40 8d7588b06f81ef23bea8d84442af8e68 + +# From 1:9.2p1-2ubuntu1 +fac56840f6697a357368bb878dd8fb87 +d01da8c9de75176095712d4e37d5dcd5 +e4898846045f33b8d99d3263d6f6fd81 +ec46dc59ba9c9e9458add405264fcedd + +# From 1:9.6p1-3ubuntu14 +34911c87d0265fac304f81dd18b3315a +acd776b76167d9f68d73ae3bea442301 +b406c0095997e46bd903a196415fb7b8 +9dadbac410278f47b12c5f8b8c6875c2 + +# From 1:9.9p1-3ubuntu2 +c76f16c1b828c313dc36a990dbbdb059 +575a06949374ac0fbc75d2bf1efe8939 +19dd35b5a0d50889607d6bf96fe8fc64 +a6bf802c59e39d53728afcbb4edc7004 diff -pruN 1:9.9p1-3/debian/patches/CVE-2025-26465.patch 1:9.9p1-3ubuntu3.1/debian/patches/CVE-2025-26465.patch --- 1:9.9p1-3/debian/patches/CVE-2025-26465.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/patches/CVE-2025-26465.patch 2025-02-18 13:47:27.000000000 +0000 @@ -0,0 +1,153 @@ +Backport of: + +From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 18 Feb 2025 08:02:48 +0000 +Subject: [PATCH] upstream: Fix cases where error codes were not correctly set + +Reported by the Qualys Security Advisory team. ok markus@ + +OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d +--- + krl.c | 4 +++- + ssh-agent.c | 7 ++++++- + ssh-sk-client.c | 4 +++- + sshconnect2.c | 7 +++++-- + sshsig.c | 3 ++- + 5 files changed, 19 insertions(+), 6 deletions(-) + +--- a/krl.c ++++ b/krl.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: krl.c,v 1.59 2023/07/17 05:22:30 djm Exp $ */ ++/* $OpenBSD: krl.c,v 1.60 2025/02/18 08:02:48 djm Exp $ */ + /* + * Copyright (c) 2012 Damien Miller + * +@@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_ce + break; + case KRL_SECTION_CERT_SERIAL_BITMAP: + if (rs->lo - bitmap_start > INT_MAX) { ++ r = SSH_ERR_INVALID_FORMAT; + error_f("insane bitmap gap"); + goto out; + } +@@ -1059,6 +1060,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st + } + + if ((krl = ssh_krl_init()) == NULL) { ++ r = SSH_ERR_ALLOC_FAIL; + error_f("alloc failed"); + goto out; + } +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1208,6 +1208,7 @@ parse_key_constraint_extension(struct ss + "restrict-destination-v00@openssh.com") == 0) { + if (*dcsp != NULL) { + error_f("%s already set", ext_name); ++ r = SSH_ERR_INVALID_FORMAT; + goto out; + } + if ((r = sshbuf_froms(m, &b)) != 0) { +@@ -1217,6 +1218,7 @@ parse_key_constraint_extension(struct ss + while (sshbuf_len(b) != 0) { + if (*ndcsp >= AGENT_MAX_DEST_CONSTRAINTS) { + error_f("too many %s constraints", ext_name); ++ r = SSH_ERR_INVALID_FORMAT; + goto out; + } + *dcsp = xrecallocarray(*dcsp, *ndcsp, *ndcsp + 1, +@@ -1234,6 +1236,7 @@ parse_key_constraint_extension(struct ss + } + if (*certs != NULL) { + error_f("%s already set", ext_name); ++ r = SSH_ERR_INVALID_FORMAT; + goto out; + } + if ((r = sshbuf_get_u8(m, &v)) != 0 || +@@ -1245,6 +1248,7 @@ parse_key_constraint_extension(struct ss + while (sshbuf_len(b) != 0) { + if (*ncerts >= AGENT_MAX_EXT_CERTS) { + error_f("too many %s constraints", ext_name); ++ r = SSH_ERR_INVALID_FORMAT; + goto out; + } + *certs = xrecallocarray(*certs, *ncerts, *ncerts + 1, +@@ -1741,6 +1745,7 @@ process_ext_session_bind(SocketEntry *e) + /* record new key/sid */ + if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) { + error_f("too many session IDs recorded"); ++ r = -1; + goto out; + } + e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids, +--- a/ssh-sk-client.c ++++ b/ssh-sk-client.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-sk-client.c,v 1.12 2022/01/14 03:34:00 djm Exp $ */ ++/* $OpenBSD: ssh-sk-client.c,v 1.13 2025/02/18 08:02:48 djm Exp $ */ + /* + * Copyright (c) 2019 Google LLC + * +@@ -439,6 +439,7 @@ sshsk_load_resident(const char *provider + } + if ((srk = calloc(1, sizeof(*srk))) == NULL) { + error_f("calloc failed"); ++ r = SSH_ERR_ALLOC_FAIL; + goto out; + } + srk->key = key; +@@ -450,6 +451,7 @@ sshsk_load_resident(const char *provider + if ((tmp = recallocarray(srks, nsrks, nsrks + 1, + sizeof(*srks))) == NULL) { + error_f("recallocarray keys failed"); ++ r = SSH_ERR_ALLOC_FAIL; + goto out; + } + debug_f("srks[%zu]: %s %s uidlen %zu", nsrks, +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -99,7 +99,7 @@ verify_host_key_callback(struct sshkey * + options.required_rsa_size)) != 0) + fatal_r(r, "Bad server host key"); + if (verify_host_key(xxx_host, xxx_hostaddr, hostkey, +- xxx_conn_info) == -1) ++ xxx_conn_info) != 0) + fatal("Host key verification failed."); + return 0; + } +@@ -766,6 +766,7 @@ input_userauth_pk_ok(int type, u_int32_t + + if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { + debug_f("server sent unknown pkalg %s", pkalg); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { +@@ -776,6 +777,7 @@ input_userauth_pk_ok(int type, u_int32_t + error("input_userauth_pk_ok: type mismatch " + "for decoded key (received %d, expected %d)", + key->type, pktype); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + +@@ -795,6 +797,7 @@ input_userauth_pk_ok(int type, u_int32_t + SSH_FP_DEFAULT); + error_f("server replied with unknown key: %s %s", + sshkey_type(key), fp == NULL ? "" : fp); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + ident = format_identity(id); +--- a/sshsig.c ++++ b/sshsig.c +@@ -874,6 +874,7 @@ cert_filter_principals(const char *path, + } + if ((principals = sshbuf_dup_string(nprincipals)) == NULL) { + error_f("buffer error"); ++ r = SSH_ERR_ALLOC_FAIL; + goto out; + } + /* success */ diff -pruN 1:9.9p1-3/debian/patches/CVE-2025-26466.patch 1:9.9p1-3ubuntu3.1/debian/patches/CVE-2025-26466.patch --- 1:9.9p1-3/debian/patches/CVE-2025-26466.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/patches/CVE-2025-26466.patch 2025-02-18 13:47:34.000000000 +0000 @@ -0,0 +1,37 @@ +From 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 18 Feb 2025 08:02:12 +0000 +Subject: [PATCH] upstream: Don't reply to PING in preauth phase or during KEX + +Reported by the Qualys Security Advisory team. ok markus@ + +OpenBSD-Commit-ID: c656ac4abd1504389d1733d85152044b15830217 +--- + packet.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/packet.c b/packet.c +index 486f8515746e..9dea2cfc5188 100644 +--- a/packet.c ++++ b/packet.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: packet.c,v 1.317 2024/08/23 04:51:00 deraadt Exp $ */ ++/* $OpenBSD: packet.c,v 1.318 2025/02/18 08:02:12 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -1864,6 +1864,14 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0) + return r; + DBG(debug("Received SSH2_MSG_PING len %zu", len)); ++ if (!ssh->state->after_authentication) { ++ DBG(debug("Won't reply to PING in preauth")); ++ break; ++ } ++ if (ssh_packet_is_rekeying(ssh)) { ++ DBG(debug("Won't reply to PING during KEX")); ++ break; ++ } + if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 || + (r = sshpkt_put_string(ssh, d, len)) != 0 || + (r = sshpkt_send(ssh)) != 0) diff -pruN 1:9.9p1-3/debian/patches/CVE-2025-32728.patch 1:9.9p1-3ubuntu3.1/debian/patches/CVE-2025-32728.patch --- 1:9.9p1-3/debian/patches/CVE-2025-32728.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/patches/CVE-2025-32728.patch 2025-04-11 11:32:22.000000000 +0000 @@ -0,0 +1,37 @@ +Backport of: + +From fc86875e6acb36401dfc1dfb6b628a9d1460f367 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Wed, 9 Apr 2025 07:00:03 +0000 +Subject: [PATCH] upstream: Fix logic error in DisableForwarding option. This + option + +was documented as disabling X11 and agent forwarding but it failed to do so. +Spotted by Tim Rice. + +OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1 +--- + session.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/session.c ++++ b/session.c +@@ -2176,7 +2176,8 @@ session_auth_agent_req(struct ssh *ssh, + if ((r = sshpkt_get_end(ssh)) != 0) + sshpkt_fatal(ssh, r, "%s: parse packet", __func__); + if (!auth_opts->permit_agent_forwarding_flag || +- !options.allow_agent_forwarding) { ++ !options.allow_agent_forwarding || ++ options.disable_forwarding) { + debug_f("agent forwarding disabled"); + return 0; + } +@@ -2571,7 +2572,7 @@ session_setup_x11fwd(struct ssh *ssh, Se + ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options."); + return 0; + } +- if (!options.x11_forwarding) { ++ if (!options.x11_forwarding || options.disable_forwarding) { + debug("X11 forwarding disabled in server configuration file."); + return 0; + } diff -pruN 1:9.9p1-3/debian/patches/auth-Add-KbdintResult-definition-to-define-result-values-.patch 1:9.9p1-3ubuntu3.1/debian/patches/auth-Add-KbdintResult-definition-to-define-result-values-.patch --- 1:9.9p1-3/debian/patches/auth-Add-KbdintResult-definition-to-define-result-values-.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/patches/auth-Add-KbdintResult-definition-to-define-result-values-.patch 2024-11-13 21:55:08.000000000 +0000 @@ -0,0 +1,98 @@ +From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= +Date: Tue, 17 Oct 2023 04:04:13 +0200 +Subject: auth: Add KbdintResult definition to define result values explicitly + +kbdint result vfunc may return various values, so use an enum to make it +clearer what each result means without having to dig into the struct +documentation. + +Origin: https://github.com/openssh/openssh-portable/pull/452 +--- + auth-bsdauth.c | 2 +- + auth-pam.c | 10 +++++----- + auth.h | 5 +++++ + auth2-chall.c | 4 ++-- + 4 files changed, 13 insertions(+), 8 deletions(-) + +--- a/auth-bsdauth.c ++++ b/auth-bsdauth.c +@@ -111,7 +111,7 @@ + authctxt->as = NULL; + debug3("bsdauth_respond: <%s> = <%d>", responses[0], authok); + +- return (authok == 0) ? -1 : 0; ++ return (authok == 0) ? KbdintResultFailure : KbdintResultSuccess; + } + + static void +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -990,15 +990,15 @@ + switch (ctxt->pam_done) { + case 1: + sshpam_authenticated = 1; +- return (0); ++ return KbdintResultSuccess; + case 0: + break; + default: +- return (-1); ++ return KbdintResultFailure; + } + if (num != 1) { + error("PAM: expected one response, got %u", num); +- return (-1); ++ return KbdintResultFailure; + } + if ((buffer = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); +@@ -1015,10 +1015,10 @@ + } + if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, buffer) == -1) { + sshbuf_free(buffer); +- return (-1); ++ return KbdintResultFailure; + } + sshbuf_free(buffer); +- return (1); ++ return KbdintResultAgain; + } + + static void +--- a/auth.h ++++ b/auth.h +@@ -51,6 +51,7 @@ + typedef struct Authctxt Authctxt; + typedef struct Authmethod Authmethod; + typedef struct KbdintDevice KbdintDevice; ++typedef int KbdintResult; + + struct Authctxt { + sig_atomic_t success; +@@ -116,6 +117,10 @@ + int (*userauth)(struct ssh *, const char *); + }; + ++#define KbdintResultFailure -1 ++#define KbdintResultSuccess 0 ++#define KbdintResultAgain 1 ++ + /* + * Keyboard interactive device: + * init_ctx returns: non NULL upon success +--- a/auth2-chall.c ++++ b/auth2-chall.c +@@ -331,11 +331,11 @@ + free(response); + + switch (res) { +- case 0: ++ case KbdintResultSuccess: + /* Success! */ + authenticated = authctxt->valid ? 1 : 0; + break; +- case 1: ++ case KbdintResultAgain: + /* Authentication needs further interaction */ + if (send_userauth_info_request(ssh) == 1) + authctxt->postponed = 1; diff -pruN 1:9.9p1-3/debian/patches/auth-pam-Add-an-enum-to-define-the-PAM-done-status.patch 1:9.9p1-3ubuntu3.1/debian/patches/auth-pam-Add-an-enum-to-define-the-PAM-done-status.patch --- 1:9.9p1-3/debian/patches/auth-pam-Add-an-enum-to-define-the-PAM-done-status.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/patches/auth-pam-Add-an-enum-to-define-the-PAM-done-status.patch 2024-10-30 15:51:53.000000000 +0000 @@ -0,0 +1,73 @@ +From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= +Date: Mon, 16 Oct 2023 21:15:45 +0200 +Subject: auth-pam: Add an enum to define the PAM done status + +Makes things more readable and easier to extend + +Origin: https://github.com/openssh/openssh-portable/pull/452 +--- + auth-pam.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/auth-pam.c b/auth-pam.c +index 86137a1..2129163 100644 +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -136,11 +136,16 @@ typedef pid_t sp_pthread_t; + #define pthread_join fake_pthread_join + #endif + ++typedef int SshPamDone; ++#define SshPamError -1 ++#define SshPamNone 0 ++#define SshPamAuthenticated 1 ++ + struct pam_ctxt { + sp_pthread_t pam_thread; + int pam_psock; + int pam_csock; +- int pam_done; ++ SshPamDone pam_done; + }; + + static void sshpam_free_ctx(void *); +@@ -904,7 +909,7 @@ sshpam_query(void *ctx, char **name, char **info, + **prompts = NULL; + *num = 0; + **echo_on = 0; +- ctxt->pam_done = -1; ++ ctxt->pam_done = SshPamError; + free(msg); + sshbuf_free(buffer); + return 0; +@@ -931,7 +936,7 @@ sshpam_query(void *ctx, char **name, char **info, + import_environments(buffer); + *num = 0; + **echo_on = 0; +- ctxt->pam_done = 1; ++ ctxt->pam_done = SshPamAuthenticated; + free(msg); + sshbuf_free(buffer); + return (0); +@@ -944,7 +949,7 @@ sshpam_query(void *ctx, char **name, char **info, + *num = 0; + **echo_on = 0; + free(msg); +- ctxt->pam_done = -1; ++ ctxt->pam_done = SshPamError; + sshbuf_free(buffer); + return (-1); + } +@@ -988,10 +993,10 @@ sshpam_respond(void *ctx, u_int num, char **resp) + + debug2("PAM: %s entering, %u responses", __func__, num); + switch (ctxt->pam_done) { +- case 1: ++ case SshPamAuthenticated: + sshpam_authenticated = 1; + return KbdintResultSuccess; +- case 0: ++ case SshPamNone: + break; + default: + return KbdintResultFailure; diff -pruN 1:9.9p1-3/debian/patches/auth-pam-Add-debugging-information-when-we-receive-PAM-me.patch 1:9.9p1-3ubuntu3.1/debian/patches/auth-pam-Add-debugging-information-when-we-receive-PAM-me.patch --- 1:9.9p1-3/debian/patches/auth-pam-Add-debugging-information-when-we-receive-PAM-me.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/patches/auth-pam-Add-debugging-information-when-we-receive-PAM-me.patch 2024-10-30 15:51:53.000000000 +0000 @@ -0,0 +1,23 @@ +From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= +Date: Tue, 17 Oct 2023 04:35:17 +0200 +Subject: auth-pam: Add debugging information when we receive PAM messages + +Origin: https://github.com/openssh/openssh-portable/pull/452 +--- + auth-pam.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/auth-pam.c b/auth-pam.c +index 2129163..7a72e72 100644 +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -450,6 +450,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg, + break; + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: ++ debug3("PAM: Got message of type %d: %s", ++ PAM_MSG_MEMBER(msg, i, msg_style), ++ PAM_MSG_MEMBER(msg, i, msg)); + if ((r = sshbuf_put_cstring(buffer, + PAM_MSG_MEMBER(msg, i, msg))) != 0) + fatal("%s: buffer error: %s", diff -pruN 1:9.9p1-3/debian/patches/auth-pam-Immediately-report-interactive-instructions-to-c.patch 1:9.9p1-3ubuntu3.1/debian/patches/auth-pam-Immediately-report-interactive-instructions-to-c.patch --- 1:9.9p1-3/debian/patches/auth-pam-Immediately-report-interactive-instructions-to-c.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/patches/auth-pam-Immediately-report-interactive-instructions-to-c.patch 2024-10-30 15:51:53.000000000 +0000 @@ -0,0 +1,73 @@ +From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= +Date: Tue, 17 Oct 2023 04:27:32 +0200 +Subject: auth-pam: Immediately report interactive instructions to clients + +SSH keyboard-interactive authentication method supports instructions but +sshd didn't show them until an user prompt was requested. + +This is quite inconvenient for various PAM modules that need to notify +an user without requiring for their explicit input. + +So, properly implement RFC4256 making instructions to be shown to users +when they are requested from PAM. + +Closes: https://bugzilla.mindrot.org/show_bug.cgi?id=2876 + +Origin: https://github.com/openssh/openssh-portable/pull/452 +--- + auth-pam.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/auth-pam.c b/auth-pam.c +index 7a72e72..b756f0e 100644 +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -140,6 +140,7 @@ typedef int SshPamDone; + #define SshPamError -1 + #define SshPamNone 0 + #define SshPamAuthenticated 1 ++#define SshPamAgain 2 + + struct pam_ctxt { + sp_pthread_t pam_thread; +@@ -868,6 +869,8 @@ sshpam_query(void *ctx, char **name, char **info, + **prompts = NULL; + plen = 0; + *echo_on = xmalloc(sizeof(u_int)); ++ ctxt->pam_done = SshPamNone; ++ + while (ssh_msg_recv(ctxt->pam_psock, buffer) == 0) { + if (++nmesg > PAM_MAX_NUM_MSG) + fatal_f("too many query messages"); +@@ -888,15 +891,13 @@ sshpam_query(void *ctx, char **name, char **info, + return (0); + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: +- /* accumulate messages */ +- len = plen + mlen + 2; +- **prompts = xreallocarray(**prompts, 1, len); +- strlcpy(**prompts + plen, msg, len - plen); +- plen += mlen; +- strlcat(**prompts + plen, "\n", len - plen); +- plen++; +- free(msg); +- break; ++ *num = 0; ++ free(*info); ++ *info = msg; /* Steal the message */ ++ msg = NULL; ++ ctxt->pam_done = SshPamAgain; ++ sshbuf_free(buffer); ++ return (0); + case PAM_ACCT_EXPIRED: + case PAM_MAXTRIES: + if (type == PAM_ACCT_EXPIRED) +@@ -1001,6 +1002,8 @@ sshpam_respond(void *ctx, u_int num, char **resp) + return KbdintResultSuccess; + case SshPamNone: + break; ++ case SshPamAgain: ++ return KbdintResultAgain; + default: + return KbdintResultFailure; + } diff -pruN 1:9.9p1-3/debian/patches/debian-config.patch 1:9.9p1-3ubuntu3.1/debian/patches/debian-config.patch --- 1:9.9p1-3/debian/patches/debian-config.patch 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/patches/debian-config.patch 2024-11-19 16:34:40.000000000 +0000 @@ -47,11 +47,9 @@ Patch-Name: debian-config.patch sshd_config.5 | 31 ++++++++++++++++++++++++++++++- 7 files changed, 100 insertions(+), 10 deletions(-) -diff --git a/readconf.c b/readconf.c -index d3c3056ef..90bf74f32 100644 --- a/readconf.c +++ b/readconf.c -@@ -2773,7 +2773,7 @@ fill_default_options(Options * options) +@@ -2773,7 +2773,7 @@ if (options->forward_x11 == -1) options->forward_x11 = 0; if (options->forward_x11_trusted == -1) @@ -60,11 +58,9 @@ index d3c3056ef..90bf74f32 100644 if (options->forward_x11_timeout == -1) options->forward_x11_timeout = 1200; /* -diff --git a/regress/test-exec.sh b/regress/test-exec.sh -index 7afc28072..02b122a85 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh -@@ -622,6 +622,7 @@ cat << EOF > $OBJ/sshd_config +@@ -622,6 +622,7 @@ Subsystem sftp $SFTPSERVER SshdSessionPath $SSHD_SESSION PerSourcePenalties no @@ -72,11 +68,9 @@ index 7afc28072..02b122a85 100644 EOF # This may be necessary if /usr/src and/or /usr/obj are group-writable, -diff --git a/ssh.1 b/ssh.1 -index 3ad246c27..9ca6e18e2 100644 --- a/ssh.1 +++ b/ssh.1 -@@ -863,6 +863,16 @@ directive in +@@ -863,6 +863,16 @@ .Xr ssh_config 5 for more information. .Pp @@ -93,7 +87,7 @@ index 3ad246c27..9ca6e18e2 100644 .It Fl x Disables X11 forwarding. .Pp -@@ -871,6 +881,20 @@ Enables trusted X11 forwarding. +@@ -871,6 +881,20 @@ Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls. .Pp @@ -114,8 +108,6 @@ index 3ad246c27..9ca6e18e2 100644 .It Fl y Send log information using the .Xr syslog 3 -diff --git a/ssh_config b/ssh_config -index 16197d15d..92d06ef38 100644 --- a/ssh_config +++ b/ssh_config @@ -17,9 +17,12 @@ @@ -139,11 +131,9 @@ index 16197d15d..92d06ef38 100644 + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes -diff --git a/ssh_config.5 b/ssh_config.5 -index 86258eb4f..9adc0fdb7 100644 --- a/ssh_config.5 +++ b/ssh_config.5 -@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more +@@ -71,6 +71,29 @@ host-specific declarations should be given near the beginning of the file, and general defaults at the end. .Pp @@ -173,7 +163,7 @@ index 86258eb4f..9adc0fdb7 100644 The file contains keyword-argument pairs, one per line. Lines starting with .Ql # -@@ -903,11 +926,12 @@ elapsed. +@@ -903,11 +926,12 @@ .It Cm ForwardX11Trusted If this option is set to .Cm yes , @@ -187,20 +177,30 @@ index 86258eb4f..9adc0fdb7 100644 remote X11 clients will be considered untrusted and prevented from stealing or tampering with data belonging to trusted X11 clients. -diff --git a/sshd_config b/sshd_config -index ecfe8d026..677f97d5d 100644 --- a/sshd_config +++ b/sshd_config -@@ -10,6 +10,8 @@ +@@ -9,6 +9,20 @@ + # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. - ++# ++# In general, the first uncommented definition of an option takes precedence. ++# For options that accept multiple values, like 'Port', subsequent definitions ++# are appended to the configuration. ++# ++# Note that the above implies that configuration options from snippets in ++# /etc/ssh/sshd_config.d/*.conf take precedence over those defined in this ++# file. In addition, configuration snippet files are processed in lexical ++# order, so options defined in files with names that sort earlier take ++# precedence. ++# ++# Such configuration snippets may be present in default installations of ++# Ubuntu. +Include /etc/ssh/sshd_config.d/*.conf -+ + #Port 22 #AddressFamily any - #ListenAddress 0.0.0.0 -@@ -57,8 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -57,8 +71,9 @@ #PasswordAuthentication yes #PermitEmptyPasswords no @@ -212,7 +212,7 @@ index ecfe8d026..677f97d5d 100644 # Kerberos options #KerberosAuthentication no -@@ -81,16 +84,16 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -81,16 +96,16 @@ # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and KbdInteractiveAuthentication to 'no'. @@ -232,7 +232,7 @@ index ecfe8d026..677f97d5d 100644 #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no -@@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -107,8 +122,11 @@ # no default banner path #Banner none @@ -245,11 +245,9 @@ index ecfe8d026..677f97d5d 100644 # Example of overriding settings on a per-user basis #Match User anoncvs -diff --git a/sshd_config.5 b/sshd_config.5 -index e177e4af8..2887ed531 100644 --- a/sshd_config.5 +++ b/sshd_config.5 -@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes +@@ -56,6 +56,35 @@ .Pq \&" in order to represent arguments containing spaces. .Pp @@ -285,7 +283,7 @@ index e177e4af8..2887ed531 100644 The possible keywords and their meanings are as follows (note that keywords are case-insensitive and arguments are case-sensitive): -@@ -1865,7 +1894,7 @@ Overrides the default path to the +@@ -1865,7 +1894,7 @@ .Cm sshd-session binary that is invoked to handle each connection. The default is diff -pruN 1:9.9p1-3/debian/patches/series 1:9.9p1-3ubuntu3.1/debian/patches/series --- 1:9.9p1-3/debian/patches/series 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/patches/series 2025-04-11 11:31:55.000000000 +0000 @@ -28,3 +28,13 @@ configure-cache-vars.patch pam-avoid-unknown-host.patch mlkem768x25519-big-endian-1.patch mlkem768x25519-big-endian-2.patch +auth-Add-KbdintResult-definition-to-define-result-values-.patch +auth-pam-Add-an-enum-to-define-the-PAM-done-status.patch +auth-pam-Add-debugging-information-when-we-receive-PAM-me.patch +auth-pam-Immediately-report-interactive-instructions-to-c.patch +sshconnect2-Write-kbd-interactive-service-info-and-instru.patch +sshd-socket-generator.patch +test-set-UsePAM-no-on-some-tests.patch +CVE-2025-26465.patch +CVE-2025-26466.patch +CVE-2025-32728.patch diff -pruN 1:9.9p1-3/debian/patches/sshconnect2-Write-kbd-interactive-service-info-and-instru.patch 1:9.9p1-3ubuntu3.1/debian/patches/sshconnect2-Write-kbd-interactive-service-info-and-instru.patch --- 1:9.9p1-3/debian/patches/sshconnect2-Write-kbd-interactive-service-info-and-instru.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/patches/sshconnect2-Write-kbd-interactive-service-info-and-instru.patch 2024-11-13 21:55:08.000000000 +0000 @@ -0,0 +1,108 @@ +From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= +Date: Tue, 17 Oct 2023 06:12:03 +0200 +Subject: sshconnect2: Write kbd-interactive service, + info and instructions as utf-8 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +As per the previous server change now the keyboard-interactive service +and instruction values could be reported as soon as they are available +and so they're not prompts anymore and not parsed like them. + +While this was already supported by the SSH client, these messages were +not properly written as the escaped sequences they contained were not +correctly reported. + +So for example a message containing "\" was represented as "\\" and +similarly for all the other C escape sequences. + +This was leading to more problems when it come to utf-8 chars, as they +were only represented by their octal representation. + +This was easily testable by adding a line like the one below to the +sshd PAM service: + auth requisite pam_echo.so Hello SSHD! Want some 🍕? + +Which was causing this to be written instead: + Hello SSHD! Want some \360\237\215\225? + +To handle this, instead of simply using fmprintf, we're using the notifier +in a way can be exposed to users in the proper format and UI. + +Origin: https://github.com/openssh/openssh-portable/pull/452 +--- + sshconnect2.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/sshconnect2.c b/sshconnect2.c +index cb584ad..7b9959d 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -1231,6 +1231,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh) + char *info = NULL, *lang = NULL, *password = NULL, *retype = NULL; + char prompt[256]; + const char *host; ++ size_t info_len; + int r; + + debug2("input_userauth_passwd_changereq"); +@@ -1240,11 +1241,15 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh) + "no authentication context"); + host = options.host_key_alias ? options.host_key_alias : authctxt->host; + +- if ((r = sshpkt_get_cstring(ssh, &info, NULL)) != 0 || ++ if ((r = sshpkt_get_cstring(ssh, &info, &info_len)) != 0 || + (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0) + goto out; +- if (strlen(info) > 0) +- logit("%s", info); ++ if (info_len > 0) { ++ struct notifier_ctx *notifier = NULL; ++ debug_f("input_userauth_passwd_changereq info: %s", info); ++ notifier = notify_start(0, "%s", info); ++ notify_complete(notifier, NULL); ++ } + if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 || + (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 || + (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 || +@@ -2098,8 +2103,10 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh) + Authctxt *authctxt = ssh->authctxt; + char *name = NULL, *inst = NULL, *lang = NULL, *prompt = NULL; + char *display_prompt = NULL, *response = NULL; ++ struct notifier_ctx *notifier = NULL; + u_char echo = 0; + u_int num_prompts, i; ++ size_t name_len, inst_len; + int r; + + debug2_f("entering"); +@@ -2109,14 +2116,22 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh) + + authctxt->info_req_seen = 1; + +- if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0 || +- (r = sshpkt_get_cstring(ssh, &inst, NULL)) != 0 || ++ if ((r = sshpkt_get_cstring(ssh, &name, &name_len)) != 0 || ++ (r = sshpkt_get_cstring(ssh, &inst, &inst_len)) != 0 || + (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0) + goto out; +- if (strlen(name) > 0) +- logit("%s", name); +- if (strlen(inst) > 0) +- logit("%s", inst); ++ if (name_len > 0) { ++ debug_f("kbd int name: %s", name); ++ notifier = notify_start(0, "%s", name); ++ notify_complete(notifier, NULL); ++ notifier = NULL; ++ } ++ if (inst_len > 0) { ++ debug_f("kbd int inst: %s", inst); ++ notifier = notify_start(0, "%s", inst); ++ notify_complete(notifier, NULL); ++ notifier = NULL; ++ } + + if ((r = sshpkt_get_u32(ssh, &num_prompts)) != 0) + goto out; diff -pruN 1:9.9p1-3/debian/patches/sshd-socket-generator.patch 1:9.9p1-3ubuntu3.1/debian/patches/sshd-socket-generator.patch --- 1:9.9p1-3/debian/patches/sshd-socket-generator.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/patches/sshd-socket-generator.patch 2024-11-19 17:06:14.000000000 +0000 @@ -0,0 +1,405 @@ +--- /dev/null ++++ b/sshd-socket-generator.c +@@ -0,0 +1,314 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "includes.h" ++ ++#include "hostfile.h" /* Needs to be included before auth.h */ ++#include "auth.h" ++#include "kex.h" ++#include "log.h" ++#include "misc.h" ++#include "monitor.h" ++#include "ssh-gss.h" /* Needs to be included before monitor_wrap.h */ ++#include "monitor_wrap.h" ++#include "pathnames.h" ++#include "servconf.h" ++#include "sshbuf.h" ++ ++#define MAX_LISTEN_STREAMS (16) ++#define MAX_LISTEN_STREAM_LEN (NI_MAXHOST + NI_MAXSERV + sizeof("ListenAddress=[:]") + 1) ++typedef char listen_stream_set[MAX_LISTEN_STREAMS][MAX_LISTEN_STREAM_LEN]; ++ ++/* Global variables required for sshd config parsing. */ ++ServerOptions options = {}; ++struct sshbuf *cfg = NULL; ++struct include_list includes = TAILQ_HEAD_INITIALIZER(includes); ++ ++/* Other global variables that are required for this to build, because of their ++ * use throughout the codebase. We do NOT use these variables for the ++ * generator. */ ++Authctxt *the_authctxt = NULL; ++int privsep_is_preauth = 1; ++int use_privsep = -1; ++struct monitor *pmonitor = NULL; ++struct ssh *the_active_state = NULL; ++struct sshauthopt *auth_opts = NULL; ++struct sshbuf *loginmsg = NULL; ++ ++static int listen_stream_set_append(listen_stream_set set, const char *listen_stream) { ++ size_t n; ++ ++ if (!set) ++ return -EINVAL; ++ ++ n = strnlen(listen_stream, MAX_LISTEN_STREAM_LEN); ++ if (n == MAX_LISTEN_STREAM_LEN) ++ return -EINVAL; ++ ++ for (int i = 0; i < MAX_LISTEN_STREAMS; i++) { ++ if (strcmp(set[i], listen_stream) == 0) ++ return 0; ++ ++ if (strnlen(set[i], MAX_LISTEN_STREAM_LEN) > 0) ++ continue; ++ ++ memcpy(set[i], listen_stream, n); ++ ++ return 0; ++ } ++ ++ return -E2BIG; ++} ++ ++static int listen_stream_set_len(listen_stream_set set) { ++ int r = 0; ++ ++ if (!set) ++ return 0; ++ ++ for (int i = 0; i < MAX_LISTEN_STREAMS; i++) { ++ if (strnlen(set[i], MAX_LISTEN_STREAM_LEN) > 0) ++ r++; ++ else ++ break; ++ } ++ ++ return r; ++} ++ ++static char *path_append(const char *base, const char *append) { ++ bool add_slash; ++ size_t n = 0, len_base, len_append; ++ char *path = NULL; ++ ++ len_base = strnlen(base, PATH_MAX); ++ len_append = strnlen(append, PATH_MAX); ++ add_slash = base[len_base - 1] != '/'; ++ ++ path = calloc(len_base + len_append + (add_slash ? 2 : 1), sizeof(char)); ++ if (!path) ++ return NULL; ++ ++ memcpy(path, base, len_base); ++ n += len_base; ++ ++ if (add_slash) ++ path[n++] = '/'; ++ ++ memcpy(path + n, append, len_append); ++ n += len_append; ++ path[n] = '\0'; ++ ++ return path; ++} ++ ++static int fflush_and_check(FILE *f) { ++ errno = 0; ++ fflush(f); ++ ++ if (ferror(f)) ++ return errno > 0 ? -errno : -EIO; ++ ++ return 0; ++} ++ ++static bool listen_addr_is_default(int family, const char *addr, const char *port) { ++ if (family != AF_UNSPEC) ++ return false; ++ ++ if (strcmp(addr, "0.0.0.0") != 0 && strcmp(addr, "::") != 0) ++ return false; ++ ++ if (strcmp(port, "22") != 0) ++ return false; ++ ++ return true; ++} ++ ++static int write_systemd_socket_file(const char *destdir) { ++ bool have_custom_config = false; ++ listen_stream_set listen_streams = {}; ++ int num_listen_streams, family = options.address_family; ++ char *conf = NULL, *overridedir = NULL; ++ FILE *f = NULL; ++ int r; ++ ++ overridedir = path_append(destdir, "ssh.socket.d"); ++ if (!overridedir) { ++ r = -ENOMEM; ++ goto out; ++ } ++ ++ if (mkdir(overridedir, 0755) < 0 && errno != EEXIST) { ++ r = -errno; ++ goto out; ++ } ++ ++ conf = path_append(overridedir, "addresses.conf"); ++ if (!conf) { ++ r = -ENOMEM; ++ goto out; ++ } ++ ++ f = fopen(conf, "we"); ++ if (!f) { ++ r = -errno; ++ goto out; ++ } ++ ++ fprintf(f, ++ "# Automatically generated by sshd-socket-generator\n" ++ "\n[Socket]\n" ++ "ListenStream=\n"); ++ ++ for (u_int i = 0; i < options.num_listen_addrs; i++) { ++ for (struct addrinfo *ai = options.listen_addrs[i].addrs; ai; ai = ai->ai_next) { ++ char addr[NI_MAXHOST] = {}, port[NI_MAXSERV] = {}, ++ listen_stream[MAX_LISTEN_STREAM_LEN] = {}; ++ ++ r = getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ addr, sizeof(addr), ++ port, sizeof(port), ++ NI_NUMERICHOST|NI_NUMERICSERV); ++ if (r != 0) { ++ fprintf(stderr, "%s\n", gai_strerror(r)); ++ r = r == EAI_SYSTEM ? -errno : -EINVAL; ++ goto out; ++ } ++ ++ ++ if (family != AF_UNSPEC && family != ai->ai_family) { ++ fprintf(stderr, "Skipping address %s, wrong address family", addr); ++ continue; ++ } ++ ++ /* The default [Socket] section of ssh.socket is: ++ * ++ * [Socket] ++ * ListenStream=[::]:22 ++ * ListenStream=0.0.0.0:22 ++ * BindIPv6Only=ipv6-only ++ * Accept=no ++ * FreeBind=yes ++ * ++ * ... ++ * ++ * As this corresponds to the default /etc/ssh/sshd_config settings: ++ * ++ * # Port 22 ++ * # AddressFamily any ++ * # ListenAddress 0.0.0.0 ++ * # ListenAddress :: ++ * ++ * ... ++ * ++ * Only create an override if the config would differ from the above. */ ++ if (!listen_addr_is_default(family, addr, port)) ++ have_custom_config = true; ++ ++ snprintf(listen_stream, ++ MAX_LISTEN_STREAM_LEN, ++ "ListenStream=%s%s%s:%s", ++ ai->ai_family == AF_INET6 ? "[" : "", ++ addr, ++ ai->ai_family == AF_INET6 ? "]" : "", ++ port); ++ ++ r = listen_stream_set_append(listen_streams, listen_stream); ++ if (r < 0) ++ goto out; ++ } ++ } ++ ++ num_listen_streams = listen_stream_set_len(listen_streams); ++ ++ if (num_listen_streams <= 0 || !have_custom_config) { ++ /* We didn't generate anything useful, so clean up and leave ++ * ssh.socket as-is. */ ++ r = -ENODATA; ++ goto out; ++ } ++ ++ for (int i = 0; i < num_listen_streams; i++) ++ fprintf(f, "%s\n", listen_streams[i]); ++ ++ r = fflush_and_check(f); ++ if (r < 0) ++ goto out; ++ ++out: ++ if (f) ++ fclose(f); ++ ++ if (r < 0) { ++ (void) remove(conf); ++ (void) remove(overridedir); ++ } ++ ++ free(overridedir); ++ free(conf); ++ ++ return r; ++} ++ ++static int parse_sshd_config_options() { ++ cfg = sshbuf_new(); ++ if (!cfg) ++ return -ENOMEM; ++ ++ initialize_server_options(&options); ++ load_server_config(_PATH_SERVER_CONFIG_FILE, cfg); ++ parse_server_config(&options, _PATH_SERVER_CONFIG_FILE, cfg, &includes, NULL, 0); ++ fill_default_server_options(&options); ++ ++ return 0; ++} ++ ++int main(int argc, char **argv) { ++ const char *destdir = NULL; ++ int r; ++ ++ if (argc < 2) { ++ fprintf(stderr, "Expected at least one argument.\n"); ++ ++ return EXIT_FAILURE; ++ } ++ ++ destdir = argv[1]; ++ ++ r = parse_sshd_config_options(); ++ if (r < 0) { ++ fprintf(stderr, "Faild to parse sshd config: %s\n", strerror(-r)); ++ ++ return EXIT_FAILURE; ++ } ++ ++ if (options.num_listen_addrs <= 0) { ++ /* No listen addresses configured? Don't generate anything. */ ++ fprintf(stderr, "No listen addresses configured. Will not generate anything.\n"); ++ ++ return EXIT_SUCCESS; ++ } ++ ++ r = write_systemd_socket_file(destdir); ++ if (r == -ENODATA) { ++ fprintf(stderr, "No custom listen addresses configured. Will not generated anything.\n"); ++ ++ return EXIT_SUCCESS; ++ } ++ if (r < 0) { ++ fprintf(stderr, "Failed to generate ssh.socket: %s\n", strerror(-r)); ++ ++ return EXIT_FAILURE; ++ } ++ ++ return EXIT_SUCCESS; ++} +--- a/Makefile.in ++++ b/Makefile.in +@@ -17,6 +17,7 @@ + top_srcdir=@top_srcdir@ + abs_top_srcdir=@abs_top_srcdir@ + abs_top_builddir=@abs_top_builddir@ ++systemd_system_generator_dir=$(shell pkg-config --variable=systemd_system_generator_dir systemd) + + DESTDIR= + VPATH=@srcdir@ +@@ -71,7 +72,7 @@ + + .SUFFIXES: .lo + +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) sshd-socket-generator$(EXEEXT) + + XMSS_OBJS=\ + ssh-xmss.o \ +@@ -141,6 +142,16 @@ + sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ + sandbox-solaris.o uidswap.o $(SKOBJS) + ++SSHD_SOCKET_GEN_OBJS=sshd-socket-generator.o \ ++ platform.o servconf.o groupaccess.o audit.o audit-linux.o \ ++ auth2.o auth2-none.o auth2-gss.o \ ++ auth2-passwd.o auth2-kbdint.o auth2-hostbased.o auth2-methods.o \ ++ auth-options.o uidswap.o auth2-pubkey.o auth.o \ ++ auth2-pubkeyfile.o auth-rhosts.o auth-passwd.o \ ++ gss-serv.o auth2-chall.o auth-pam.o gss-serv-krb5.o \ ++ loginrec.o auth-krb5.o auth-shadow.o \ ++ monitor.o monitor_wrap.o ++ + SFTP_CLIENT_OBJS=sftp-common.o sftp-client.o sftp-glob.o + + SCP_OBJS= scp.o progressmeter.o $(SFTP_CLIENT_OBJS) +@@ -220,6 +231,9 @@ + sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS) + $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) + ++sshd-socket-generator$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SOCKET_GEN_OBJS) ++ $(LD) -o $@ $(SSHD_SOCKET_GEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) ++ + scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) + $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +@@ -402,6 +416,7 @@ + $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 + $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 + $(MKDIR_P) $(DESTDIR)$(libexecdir) ++ $(MKDIR_P) $(DESTDIR)$(systemd_system_generator_dir) + $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) +@@ -432,6 +447,7 @@ + $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 + $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 ++ $(INSTALL) -m 0755 $(STRIP_OPT) sshd-socket-generator$(EXEEXT) $(DESTDIR)$(systemd_system_generator_dir)/sshd-socket-generator$(EXEEXT) + + install-sysconf: + $(MKDIR_P) $(DESTDIR)$(sysconfdir) +@@ -489,6 +505,7 @@ + -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) + -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) ++ -rm -f $(DESTDIR)$(systemd_system_generator_dir)/sshd-socket-generator$(EXEEXT) + -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) +--- a/sshd_config ++++ b/sshd_config +@@ -24,6 +24,15 @@ + # Ubuntu. + Include /etc/ssh/sshd_config.d/*.conf + ++# When systemd socket activation is used (the default), the socket ++# configuration must be re-generated after changing Port, AddressFamily, or ++# ListenAddress. ++# ++# For changes to take effect, run: ++# ++# systemctl daemon-reload ++# systemctl restart ssh.socket ++# + #Port 22 + #AddressFamily any + #ListenAddress 0.0.0.0 diff -pruN 1:9.9p1-3/debian/patches/systemd-socket-activation.patch 1:9.9p1-3ubuntu3.1/debian/patches/systemd-socket-activation.patch --- 1:9.9p1-3/debian/patches/systemd-socket-activation.patch 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/patches/systemd-socket-activation.patch 2024-11-13 21:55:08.000000000 +0000 @@ -1,28 +1,25 @@ -From ea15be5452914d4dcf291228c73e7dfa4550537b Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Thu, 1 Sep 2022 16:03:37 +0100 Subject: Support systemd socket activation -Unlike inetd socket activation, with systemd socket activation the -supervisor passes the listened-on socket to the child process and lets -the child process handle the accept(). This lets us do delayed start -of the sshd daemon without becoming incompatible with config options -like ClientAliveCountMax. +Description: support systemd socket activation + Unlike inetd socket activation, with systemd socket activation the + supervisor passes the listened-on socket to the child process and lets + the child process handle the accept(). This lets us do delayed start + of the sshd daemon without becoming incompatible with config options + like ClientAliveCountMax. +Author: Steve Langasek +Author: Nick Rosbrook Author: Colin Watson -Last-Update: 2024-08-02 +Author: Marco Trevisan +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2011458 +Last-Update: 2024-11-12 -Patch-Name: systemd-socket-activation.patch --- - configure.ac | 1 + - sshd.c | 133 +++++++++++++++++++++++++++++++++++++++++++++------ - 2 files changed, 119 insertions(+), 15 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 90548dcfc..8b3a9776b 100644 --- a/configure.ac +++ b/configure.ac -@@ -940,6 +940,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) +@@ -940,6 +940,7 @@ AC_DEFINE([USE_BTMP]) AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) @@ -30,76 +27,107 @@ index 90548dcfc..8b3a9776b 100644 inet6_default_4in6=yes case `uname -r` in 1.*|2.0.*) -diff --git a/sshd.c b/sshd.c -index 48b334c68..142310c07 100644 --- a/sshd.c +++ b/sshd.c -@@ -93,10 +93,18 @@ +@@ -92,11 +92,18 @@ + #include "addr.h" #include "srclimit.h" ++/* This will only get set if we build with systemd. */ ++static int systemd_num_listen_fds; ++ ++#ifdef SYSTEMD_SOCKET_ACTIVATION ++#define SYSTEMD_LISTEN_FDS_START 3 ++#endif ++ /* Re-exec fds */ -#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) -#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3) -#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4) -+#ifdef SYSTEMD_SOCKET_ACTIVATION -+static int get_systemd_listen_fds(void); -+#define SYSTEMD_OFFSET get_systemd_listen_fds() -+#define SYSTEMD_LISTEN_FDS_START 3 -+#else -+#define SYSTEMD_OFFSET 0 -+#endif -+ -+#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1 + SYSTEMD_OFFSET) -+#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2 + SYSTEMD_OFFSET) -+#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3 + SYSTEMD_OFFSET) -+#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4 + SYSTEMD_OFFSET) ++#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1 + systemd_num_listen_fds) ++#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2 + systemd_num_listen_fds) ++#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3 + systemd_num_listen_fds) ++#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4 + systemd_num_listen_fds) extern char *__progname; -@@ -740,6 +748,88 @@ send_rexec_state(int fd, struct sshbuf *conf) +@@ -121,6 +128,7 @@ + */ + #define MAX_LISTEN_SOCKS 16 + static int listen_socks[MAX_LISTEN_SOCKS]; ++static int listen_socks_no_close[MAX_LISTEN_SOCKS]; + static int num_listen_socks = 0; + + /* +@@ -204,12 +212,16 @@ + * Close all listening sockets + */ + static void +-close_listen_socks(void) ++close_listen_socks(int force) + { + int i; + +- for (i = 0; i < num_listen_socks; i++) ++ for (i = 0; i < num_listen_socks; i++) { ++ if (listen_socks_no_close[i] > 0 && force <= 0) ++ continue; ++ + close(listen_socks[i]); ++ } + num_listen_socks = 0; + } + +@@ -494,7 +506,7 @@ + if (options.pid_file != NULL) + unlink(options.pid_file); + platform_pre_restart(); +- close_listen_socks(); ++ close_listen_socks(/* force = */ 0); + close_startup_pipes(); + ssh_signal(SIGHUP, SIG_IGN); /* will be restored after exec */ + execv(saved_argv[0], saved_argv); +@@ -740,6 +752,102 @@ debug3_f("done"); } +#ifdef SYSTEMD_SOCKET_ACTIVATION +/* + * Get file descriptors passed by systemd; this implements the protocol -+ * described in the NOTES section of sd_listen_fds(3). -+ * -+ * We deliberately return 0 on error, so that the return value can safely be -+ * added as part of the REEXEC_*_FD macros without extra checks. ++ * described in the NOTES section of sd_listen_fds(3), with a few exceptions ++ * to handle our needs in sshd. + */ +static int -+get_systemd_listen_fds(void) ++get_systemd_listen_fds(int *ret_listen_fds, const char **ret_listen_fds_str) +{ -+ const char *listen_pid_str, *listen_fds_str; + pid_t listen_pid; -+ int listen_fds; -+ const char *errstr = NULL; -+ int fd; ++ const char *listen_pid_str = NULL, *listen_fds_str = NULL, *errstr = NULL; ++ int fd, listen_fds = 0; + + listen_pid_str = getenv("LISTEN_PID"); + if (listen_pid_str == NULL) -+ return 0; ++ return -ENODATA; + listen_pid = (pid_t)strtonum(listen_pid_str, 2, INT_MAX, &errstr); -+ if (errstr != NULL || getpid() != listen_pid) -+ return 0; ++ if (errstr != NULL) ++ return -errno; ++ if (getpid() != listen_pid) ++ return -ENODATA; + + listen_fds_str = getenv("LISTEN_FDS"); + if (listen_fds_str == NULL) -+ return 0; ++ return -ENODATA; + listen_fds = (int)strtonum(listen_fds_str, 1, + INT_MAX - SYSTEMD_LISTEN_FDS_START, &errstr); + if (errstr != NULL) -+ return 0; ++ return -errno; + -+ for (fd = SYSTEMD_LISTEN_FDS_START; -+ fd < SYSTEMD_LISTEN_FDS_START + listen_fds; fd++) { -+ if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) -+ return 0; -+ } ++ if (ret_listen_fds) ++ *ret_listen_fds = listen_fds; ++ if (ret_listen_fds_str) ++ *ret_listen_fds_str = listen_fds_str; + -+ return listen_fds; ++ return 0; +} + +/* @@ -108,7 +136,7 @@ index 48b334c68..142310c07 100644 +static void +setup_systemd_socket(int listen_sock) +{ -+ int ret; ++ int flags, ret; + struct sockaddr_storage addr; + socklen_t len = sizeof(addr); + char ntop[NI_MAXHOST], strport[NI_MAXSERV]; @@ -133,10 +161,27 @@ index 48b334c68..142310c07 100644 + close(listen_sock); + return; + } ++ + /* Socket options */ + set_reuseaddr(listen_sock); + ++ /* systemd sets FD_CLOEXEC on the fds it passes to us, but we need this ++ * to stay open across re-exec. */ ++ flags = fcntl(listen_sock, F_GETFD); ++ if (flags < 0) { ++ error("Failed to get fd flags: %s", strerror(errno)); ++ close(listen_sock); ++ return; ++ } ++ ++ if (fcntl(listen_sock, F_SETFD, flags & ~FD_CLOEXEC) < 0) { ++ error("Failed to clear FD_CLOEXEC flag: %s", strerror(errno)); ++ close(listen_sock); ++ return; ++ } ++ + listen_socks[num_listen_socks] = listen_sock; ++ listen_socks_no_close[num_listen_socks] = 1; + num_listen_socks++; + + logit("Server listening on %s port %s.", ntop, strport); @@ -146,17 +191,7 @@ index 48b334c68..142310c07 100644 /* * Listen for TCP connections */ -@@ -819,6 +909,9 @@ static void - server_listen(void) - { - u_int i; -+#ifdef SYSTEMD_SOCKET_ACTIVATION -+ int systemd_socket_count; -+#endif - - /* Initialise per-source limit tracking. */ - srclimit_init(options.max_startups, -@@ -828,17 +921,27 @@ server_listen(void) +@@ -828,17 +936,26 @@ &options.per_source_penalty, options.per_source_penalty_exempt); @@ -166,12 +201,16 @@ index 48b334c68..142310c07 100644 - free(options.listen_addrs[i].rdomain); - memset(&options.listen_addrs[i], 0, - sizeof(options.listen_addrs[i])); +- } +- free(options.listen_addrs); +- options.listen_addrs = NULL; +- options.num_listen_addrs = 0; +- +#ifdef SYSTEMD_SOCKET_ACTIVATION -+ systemd_socket_count = get_systemd_listen_fds(); -+ if (systemd_socket_count > 0) ++ if (systemd_num_listen_fds > 0) + { + int i; -+ for (i = 0; i < systemd_socket_count; i++) ++ for (i = 0; i < systemd_num_listen_fds; i++) + setup_systemd_socket(SYSTEMD_LISTEN_FDS_START + i); + } else +#endif @@ -186,20 +225,144 @@ index 48b334c68..142310c07 100644 + free(options.listen_addrs); + options.listen_addrs = NULL; + options.num_listen_addrs = 0; - } -- free(options.listen_addrs); -- options.listen_addrs = NULL; -- options.num_listen_addrs = 0; -- ++ } if (!num_listen_socks) fatal("Cannot bind any address."); } -@@ -1351,7 +1454,7 @@ main(int ac, char **av) +@@ -894,7 +1011,7 @@ + if (received_sigterm) { + logit("Received signal %d; terminating.", + (int) received_sigterm); +- close_listen_socks(); ++ close_listen_socks(/* force = */ 1); + if (options.pid_file != NULL) + unlink(options.pid_file); + exit(received_sigterm == SIGTERM ? 0 : 255); +@@ -916,7 +1033,7 @@ + if (received_sighup) { + if (!lameduck) { + debug("Received SIGHUP; waiting for children"); +- close_listen_socks(); ++ close_listen_socks(/* force = */ 0); + lameduck = 1; + } + if (listening <= 0) { +@@ -1048,7 +1165,7 @@ + * connection without forking. + */ + debug("Server will not fork when running in debugging mode."); +- close_listen_socks(); ++ close_listen_socks(/* force = */ 0); + *sock_in = *newsock; + *sock_out = *newsock; + close(startup_p[0]); +@@ -1080,7 +1197,7 @@ + platform_post_fork_child(); + startup_pipe = startup_p[1]; + close_startup_pipes(); +- close_listen_socks(); ++ close_listen_socks(/* force = */ 1); + *sock_in = *newsock; + *sock_out = *newsock; + log_init(__progname, +@@ -1194,6 +1311,7 @@ + int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0; + int need_chroot = 1; + char *fp, *line, *logfile = NULL, **rexec_argv = NULL; ++ const char *systemd_num_listen_fds_str; + struct stat sb; + u_int i, j; + mode_t new_umask; +@@ -1348,10 +1466,17 @@ + break; + } + } ++ ++#ifdef SYSTEMD_SOCKET_ACTIVATION ++ r = get_systemd_listen_fds(&systemd_num_listen_fds, &systemd_num_listen_fds_str); ++ if (r < 0 && r != -ENODATA) ++ fatal("Failed to get systemd socket fds: %s", strerror(-r)); ++#endif ++ if (!test_flag && !inetd_flag && !do_dump_cfg && !path_absolute(av[0])) fatal("sshd requires execution with an absolute path"); - closefrom(STDERR_FILENO + 1); -+ closefrom(STDERR_FILENO + 1 + SYSTEMD_OFFSET); ++ closefrom(STDERR_FILENO + 1 + systemd_num_listen_fds); /* Reserve fds we'll need later for reexec things */ if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) +@@ -1652,7 +1777,8 @@ + /* Prepare arguments for sshd-session */ + if (rexec_argc < 0) + fatal("rexec_argc %d < 0", rexec_argc); +- rexec_argv = xcalloc(rexec_argc + 3, sizeof(char *)); ++ ++ rexec_argv = xcalloc(rexec_argc + 3 + (systemd_num_listen_fds > 0 ? 2 : 0), sizeof(char *)); + /* Point to the sshd-session binary instead of sshd */ + rexec_argv[0] = options.sshd_session_path; + for (i = 1; i < (u_int)rexec_argc; i++) { +@@ -1660,6 +1786,12 @@ + rexec_argv[i] = saved_argv[i]; + } + rexec_argv[rexec_argc++] = "-R"; ++ ++ if (systemd_num_listen_fds > 0) { ++ rexec_argv[rexec_argc++] = "-N"; ++ rexec_argv[rexec_argc++] = systemd_num_listen_fds_str; ++ } ++ + rexec_argv[rexec_argc] = NULL; + if (stat(rexec_argv[0], &sb) != 0 || !(sb.st_mode & (S_IXOTH|S_IXUSR))) + fatal("%s does not exist or is not executable", rexec_argv[0]); +--- a/sshd-session.c ++++ b/sshd-session.c +@@ -117,11 +117,18 @@ + int deny_severity; + #endif /* LIBWRAP */ + ++/* This will only get set if we build with systemd. */ ++static int systemd_num_listen_fds; ++ ++#ifdef SYSTEMD_SOCKET_ACTIVATION ++#define SYSTEMD_LISTEN_FDS_START 3 ++#endif ++ + /* Re-exec fds */ +-#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) +-#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) +-#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3) +-#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4) ++#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1 + systemd_num_listen_fds) ++#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2 + systemd_num_listen_fds) ++#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3 + systemd_num_listen_fds) ++#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4 + systemd_num_listen_fds) + + extern char *__progname; + +@@ -920,7 +927,7 @@ + + /* Parse command-line arguments. */ + while ((opt = getopt(ac, av, +- "C:E:b:c:f:g:h:k:o:p:u:46DGQRTdeiqrtV")) != -1) { ++ "C:E:b:c:f:g:h:k:o:p:u:N:46DGQRTdeiqrtV")) != -1) { + switch (opt) { + case '4': + options.address_family = AF_INET; +@@ -1023,6 +1030,16 @@ + fprintf(stderr, "%s, %s\n", + SSH_RELEASE, SSH_OPENSSL_VERSION); + exit(0); ++#ifdef SYSTEMD_SOCKET_ACTIVATION ++ case 'N': ++ const char *errstr = NULL; ++ ++ systemd_num_listen_fds = (int)strtonum(optarg, 1, INT_MAX - SYSTEMD_LISTEN_FDS_START, &errstr); ++ if (errstr != NULL) ++ fatal("Invalid number of systemd listen FDs: %s", errstr); ++ ++ break; ++#endif + default: + usage(); + break; diff -pruN 1:9.9p1-3/debian/patches/test-set-UsePAM-no-on-some-tests.patch 1:9.9p1-3ubuntu3.1/debian/patches/test-set-UsePAM-no-on-some-tests.patch --- 1:9.9p1-3/debian/patches/test-set-UsePAM-no-on-some-tests.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/patches/test-set-UsePAM-no-on-some-tests.patch 2024-11-13 21:55:08.000000000 +0000 @@ -0,0 +1,41 @@ +Description: Set UsePAM=no for regress/putty-*.sh + Currently these tests fails in the autopkgtest infrastructure due to pam_loginuid.so + failures. These failures cannot currently be replicated locally. Workaround this + by setting UsePAM=no for the failing tests since their functionality is not tesing + PAM. +Author: Nick Rosbrook +Forwarded: no +Last-Update: 2024-07-31 +--- a/regress/putty-ciphers.sh ++++ b/regress/putty-ciphers.sh +@@ -43,6 +43,8 @@ + echo "MACs $m" >> ${OBJ}/sshd_proxy + fi + ++ sed -i "s/UsePAM.*/UsePAM no/" ${OBJ}/sshd_proxy ++ + rm -f ${COPY} + env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \ + cat ${DATA} > ${COPY} +--- a/regress/putty-kex.sh ++++ b/regress/putty-kex.sh +@@ -26,6 +26,8 @@ + cp ${OBJ}/sshd_proxy_bak ${OBJ}/sshd_proxy + echo "KexAlgorithms ${k}" >>${OBJ}/sshd_proxy + ++ sed -i "s/UsePAM.*/UsePAM no/" ${OBJ}/sshd_proxy ++ + env HOME=$PWD ${PLINK} -v -load localhost_proxy -batch -i ${OBJ}/putty.rsa2 true \ + 2>${OBJ}/log/putty-kex-$k.log + if [ $? -ne 0 ]; then +--- a/regress/putty-transfer.sh ++++ b/regress/putty-transfer.sh +@@ -5,6 +5,8 @@ + + puttysetup + ++sed -i "s/UsePAM.*/UsePAM no/" ${OBJ}/sshd_proxy ++ + if [ "`${SSH} -Q compression`" = "none" ]; then + comp="0" + else diff -pruN 1:9.9p1-3/debian/rules 1:9.9p1-3ubuntu3.1/debian/rules --- 1:9.9p1-3/debian/rules 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/rules 2024-11-13 21:55:08.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/make -f -export DEB_BUILD_MAINT_OPTIONS := hardening=+all +export DEB_BUILD_MAINT_OPTIONS := hardening=+all optimize=+lto include /usr/share/dpkg/default.mk @@ -195,8 +195,8 @@ override_dh_installinit: dh_installinit -R --name ssh override_dh_installsystemd: - dh_installsystemd -popenssh-server ssh.service - dh_installsystemd -popenssh-server --no-enable ssh.socket + dh_installsystemd -popenssh-server --no-start ssh.socket + dh_installsystemd -popenssh-server --no-enable --no-start ssh.service dh_installsystemd -popenssh-server --no-start rescue-ssh.target debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in diff -pruN 1:9.9p1-3/debian/systemd/ssh.socket 1:9.9p1-3ubuntu3.1/debian/systemd/ssh.socket --- 1:9.9p1-3/debian/systemd/ssh.socket 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/systemd/ssh.socket 2024-11-13 21:55:08.000000000 +0000 @@ -1,11 +1,15 @@ [Unit] Description=OpenBSD Secure Shell server socket -Before=sockets.target +Before=sockets.target ssh.service ConditionPathExists=!/etc/ssh/sshd_not_to_be_run [Socket] -ListenStream=22 +ListenStream=0.0.0.0:22 +ListenStream=[::]:22 +BindIPv6Only=ipv6-only Accept=no +FreeBind=yes [Install] WantedBy=sockets.target +RequiredBy=ssh.service diff -pruN 1:9.9p1-3/debian/tests/control 1:9.9p1-3ubuntu3.1/debian/tests/control --- 1:9.9p1-3/debian/tests/control 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/tests/control 2024-11-13 21:55:08.000000000 +0000 @@ -44,3 +44,15 @@ Restrictions: Depends: openssh-server, xinetd, + +Tests: systemd-socket-activation +Restrictions: needs-root allow-stderr +Depends: openssh-client, + openssh-server, + systemd, + +Tests: sshd-socket-generator +Restrictions: needs-root allow-stderr +Depends: openssh-client, + openssh-server, + systemd, diff -pruN 1:9.9p1-3/debian/tests/ssh-gssapi 1:9.9p1-3ubuntu3.1/debian/tests/ssh-gssapi --- 1:9.9p1-3/debian/tests/ssh-gssapi 2024-10-27 13:58:04.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/tests/ssh-gssapi 2024-11-13 21:55:08.000000000 +0000 @@ -21,7 +21,9 @@ chown "$testuser2:" "/home/$testuser2/.s source debian/tests/util cleanup() { - if [ $? -ne 0 ]; then + result=$? + set +e + if [ ${result} -ne 0 ]; then echo "## Something failed" echo echo "## klist" diff -pruN 1:9.9p1-3/debian/tests/sshd-socket-generator 1:9.9p1-3ubuntu3.1/debian/tests/sshd-socket-generator --- 1:9.9p1-3/debian/tests/sshd-socket-generator 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/tests/sshd-socket-generator 2024-11-13 21:55:08.000000000 +0000 @@ -0,0 +1,209 @@ +#!/bin/bash + +test_default() ( + set -xeuo pipefail + + /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir" + + # Nothing should be generated in this case. + test ! -e "$testdir/ssh.socket.d" +) + +test_custom_port() ( + set -xeuo pipefail + + echo "Port 1234" >> "$testconf" + + /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir" + + grep -q "^ListenStream=0.0.0.0:1234" "$socket_override" + grep -q "^ListenStream=\[::\]:1234" "$socket_override" +) + +test_custom_family_ipv4() ( + set -xeuo pipefail + + echo "AddressFamily inet" >> "$testconf" + + /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir" + + grep -q "^ListenStream=0.0.0.0:22" "$socket_override" + + if grep -q "^ListenStream=\[::\]:22" "$socket_override"; then + >&2 echo "IPv6 address generated with AddressFamily inet" + return 1 + fi +) + +test_custom_family_ipv6() ( + set -xeuo pipefail + + echo "AddressFamily inet6" >> "$testconf" + + /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir" + + grep -q "^ListenStream=\[::\]:22" "$socket_override" + + if grep -q "^ListenStream=0.0.0.0:22" "$socket_override"; then + >&2 echo "IPv4 address generated with AddressFamily inet6" + return 1 + fi +) + +test_custom_port_and_family_ipv4() ( + set -xeuo pipefail + + echo "Port 1234" >> "$testconf" + echo "AddressFamily inet" >> "$testconf" + + /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir" + + grep -q "^ListenStream=0.0.0.0:1234" "$socket_override" + + if grep -q "^ListenStream=\[::\]:1234" "$socket_override"; then + >&2 echo "IPv6 address generated with AddressFamily inet" + return 1 + fi +) + +test_custom_port_and_family_ipv6() ( + set -xeuo pipefail + + echo "Port 1234" >> "$testconf" + echo "AddressFamily inet6" >> "$testconf" + + /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir" + + grep -q "^ListenStream=\[::\]:1234" "$socket_override" + + if grep -q "^ListenStream=0.0.0.0:1234" "$socket_override"; then + >&2 echo "IPv4 address generated with AddressFamily inet6" + return 1 + fi +) + +test_default_and_custom_port() ( + set -xeuo pipefail + + # LP: #2059872 + echo "Port 22" >> "$testconf" + echo "Port 1234" >> "$testconf" + + /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir" + + grep -q "^ListenStream=0.0.0.0:22" "$socket_override" + grep -q "^ListenStream=0.0.0.0:1234" "$socket_override" + grep -q "^ListenStream=\[::\]:22" "$socket_override" + grep -q "^ListenStream=\[::\]:1234" "$socket_override" +) + +test_mutiple_custom_ports() ( + set -xeuo pipefail + + echo "Port 1234" >> "$testconf" + echo "Port 4321" >> "$testconf" + + /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir" + + grep -q "^ListenStream=0.0.0.0:1234" "$socket_override" + grep -q "^ListenStream=0.0.0.0:4321" "$socket_override" + grep -q "^ListenStream=\[::\]:1234" "$socket_override" + grep -q "^ListenStream=\[::\]:4321" "$socket_override" +) + +test_custom_listenaddress() ( + set -xeuo pipefail + + echo "ListenAddress 10.1.2.3" >> "$testconf" + + /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir" + + grep -q "^ListenStream=10.1.2.3:22" "$socket_override" +) + +test_custom_listenaddress_and_port() ( + set -xeuo pipefail + + echo "Port 1234" >> "$testconf" + echo "ListenAddress 10.1.2.3" >> "$testconf" + + /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir" + + grep -q "^ListenStream=10.1.2.3:1234" "$socket_override" +) + +test_custom_ipv6_listenaddress() ( + set -xeuo pipefail + + echo "ListenAddress 2001:db8:85a3::8a2e:370:7334" >> "$testconf" + + /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir" + + grep -q "^ListenStream=\[2001:db8:85a3::8a2e:370:7334\]:22" "$socket_override" +) + +test_match_on_port() ( + # Regression test for LP: #2076023 + set -xeuo pipefail + + echo "Port 22" >> "$testconf" + echo "Port 22222" >> "$testconf" + echo "Match LocalPort 22222" >> "$testconf" + echo " PasswordAuthentication no" >> "$testconf" + echo " PubkeyAuthentication yes" >> "$testconf" + + /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir" + + grep -q "^ListenStream=0.0.0.0:22$" "$socket_override" + grep -q "^ListenStream=0.0.0.0:22$" "$socket_override" + grep -q "^ListenStream=\[::\]:22222$" "$socket_override" + grep -q "^ListenStream=\[::\]:22222$" "$socket_override" +) + +tmpdir="$(mktemp -d)" +testconf="/etc/ssh/sshd_config.d/test.conf" +failed= + +mkdir -p /etc/ssh/sshd_config.d + +for test_fn in \ + "test_default" \ + "test_custom_port" \ + "test_default_and_custom_port" \ + "test_mutiple_custom_ports" \ + "test_custom_listenaddress" \ + "test_custom_listenaddress_and_port" \ + "test_custom_ipv6_listenaddress" \ + "test_custom_family_ipv4" \ + "test_custom_family_ipv6" \ + "test_custom_port_and_family_ipv4" \ + "test_custom_port_and_family_ipv6" \ + "test_match_on_port" +do + echo -n "$test_fn..." + + testdir="${tmpdir}/${test_fn}" + socket_override="${testdir}/ssh.socket.d/addresses.conf" + mkdir -p "$testdir" + + $test_fn > "${AUTOPKGTEST_ARTIFACTS}/${test_fn}.log" 2>&1 + if [[ $? -eq 0 ]]; then + echo "PASS" + else + echo "FAIL" + failed="${failed:+$failed }$test_fn" + fi + + >"$testconf" +done + +if [[ -n "$failed" ]]; then + for t in $failed; do + echo "--------------------------------------------" + echo "FAIL: $t" + echo "--------------------------------------------" + cat "${AUTOPKGTEST_ARTIFACTS}/${t}.log" + done + + exit 1 +fi diff -pruN 1:9.9p1-3/debian/tests/systemd-socket-activation 1:9.9p1-3ubuntu3.1/debian/tests/systemd-socket-activation --- 1:9.9p1-3/debian/tests/systemd-socket-activation 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.9p1-3ubuntu3.1/debian/tests/systemd-socket-activation 2024-11-19 17:06:14.000000000 +0000 @@ -0,0 +1,69 @@ +#!/bin/bash + +set -euo pipefail + +assert_unit_property() { + local property="$(echo "$2" | awk -F'=' '{print $1}')" + + local expect="$2" + local actual="$(systemctl show -p "$property" "$1")" + + if [[ "$actual" != "$expect" ]]; then + echo "Fail: $1: expected $expect, but got $actual" + return 1 + fi +} + +# Generate RSA key and add it to this user's authorized keys. +ssh-keygen -t rsa -N "" -f "$HOME/.ssh/id_rsa" -q +if [[ -f ~/.ssh/authorized_keys ]]; then + touch ~/.ssh/authorized_keys + chmod 0600 ~/.ssh/authorized_keys +fi +cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys + +# Make sure ssh.service is not running. +echo "Stopping ssh.service..." +systemctl stop ssh.service 2>/dev/null + +# Check that ssh.socket is active and listening. +echo "Checking that ssh.socket is active and listening..." +assert_unit_property ssh.socket "ActiveState=active" +assert_unit_property ssh.socket "SubState=listening" + +# Check that ssh.service is currently inactive/dead. +echo "Checking that ssh.service is inactive/dead..." +assert_unit_property ssh.service "ActiveState=inactive" +assert_unit_property ssh.service "SubState=dead" + +# Check that a connection attempt successfully activates ssh.service. +echo "Checking that a connection attempt activates ssh.service..." +ssh -oStrictHostKeyChecking=no localhost -- /usr/bin/true +assert_unit_property ssh.service "ActiveState=active" +assert_unit_property ssh.service "SubState=running" + +# Check that we can re-execute sshd via systemctl reload. +echo "Checking that sshd can be re-executed..." +systemctl reload ssh.service + +timeout=5 +while [[ "$(systemctl show -P "ActiveState" ssh.service)" == "reloading" ]]; do + sleep 1 + timeout=$((timeout - 1)) + + if [[ $timeout -le 0 ]]; then + echo "Fail: timeout waiting for ssh.service to reload" + return 1 + fi +done + +assert_unit_property ssh.service "ActiveState=active" +assert_unit_property ssh.service "SubState=running" + +# Check that we can run sshd in debug mode. +echo "Checking sshd can run in debug mode..." +systemctl stop ssh.service 2>/dev/null +sed -i 's/^SSHD_OPTS=.*/SSHD_OPTS=-ddd/g' /etc/default/ssh +ssh -oStrictHostKeyChecking=no localhost -- /usr/bin/true + +echo "Done."