Remove /etc/network/if-up.d/openssh-server

It causes more problems than it solves. Add an "if-up hook removed" section to README.Debian documenting the corner case that may need configuration adjustments. Thanks, Christian Ehrhardt, Andreas Hasenack, and David Britton. Closes: #789532 LP: #1037738, #1674330, #1718227
author: Colin Watson <cjwatson@debian.org> 2018-10-21 10:36:27 +0100
committer: Colin Watson <cjwatson@debian.org> 2018-10-21 10:38:28 +0100
commit: 02b3fee8901679a5e058f66691067675208a4ae5 (patch)
tree: 4285b09ce6cfd3226b1890972666015cb4aa030d
parent: 2df9bff12640a33749f0f20ae806b6efac327116 (diff)
5 files changed, 27 insertions, 43 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
index 58a5741b0..48f42c4e8 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -249,6 +249,27 @@ options related to it are now deprecated and should be removed from
 The Protocol option is also no longer needed, although it is silently
 ignored rather than deprecated.
+if-up hook removed
+------------------
+openssh-server previously shipped an if-up hook that restarted sshd when a
+network interface came up.  This generally caused more problems than it
+solved: for instance, it means that sshd stops listening briefly while being
+restarted, which can cause problems in some environments, particularly
+automated tests.
+The only known situation where the if-up hook was useful was when
+sshd_config was changed to add ListenAddress entries for particular IP
+addresses, overriding the default of listening on all addresses, and the
+system is one that often roams between networks.  In such a situation, it is
+better to remove ListenAddress entries from sshd_config (restoring it to the
+default behaviour) and instead use firewall rules to restrict incoming SSH
+connections to only the desired interfaces or addresses.
+For further discussion, see:
+  https://bugs.launchpad.net/bugs/1674330
 -- 
 Matthew Vernon <matthew@debian.org>
 Colin Watson <cjwatson@debian.org>
diff --git a/debian/changelog b/debian/changelog
index 42fd29b8a..fef13055d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -55,6 +55,11 @@ openssh (1:7.9p1-1) UNRELEASED; urgency=medium
  * Remove dh_builddeb override to use xz compression; this has been the
    default since dpkg 1.17.0.
  * Simplify debian/rules using /usr/share/dpkg/default.mk.
+  * Remove /etc/network/if-up.d/openssh-server, as it causes more problems
+    than it solves (thanks, Christian Ehrhardt, Andreas Hasenack, and David
+    Britton; closes: #789532, LP: #1037738, #1674330, #1718227).  Add an
+    "if-up hook removed" section to README.Debian documenting the corner
+    case that may need configuration adjustments.
 -- Colin Watson <cjwatson@debian.org>  Fri, 19 Oct 2018 21:34:47 +0100
diff --git a/debian/openssh-server.if-up b/debian/openssh-server.if-up
deleted file mode 100644
index 525c2153b..000000000
--- a/debian/openssh-server.if-up
+++ /dev/null
@@ -1,42 +0,0 @@
-#! /bin/sh
-# Reload the OpenSSH server when an interface comes up, to allow it to start
-# listening on new addresses.
-set -e
-# Don't bother to restart sshd when lo is configured.
-if [ "$IFACE" = lo ]; then
-        exit 0
-fi
-# Only run from ifup.
-if [ "$MODE" != start ]; then
-        exit 0
-fi
-# OpenSSH only cares about inet and inet6. Get ye gone, strange people
-# still using ipx.
-if [ "$ADDRFAM" != inet ] && [ "$ADDRFAM" != inet6 ]; then
-        exit 0
-fi
-# Is /usr mounted?
-if [ ! -e /usr/sbin/sshd ]; then
-        exit 0
-fi
-if [ ! -f /run/sshd.pid ] || \
-   [ "$(ps -p "$(cat /run/sshd.pid)" -o comm=)" != sshd ]; then
-        exit 0
-fi
-# We'd like to use 'reload' here, but it has some problems; see #502444.  On
-# the other hand, repeated restarts of ssh make systemd unhappy
-# (#756547/#757822), so use reload in that case.
-if [ -d /run/systemd/system ]; then
-        systemctl reload --no-block ssh.service >/dev/null 2>&1 || true
-else
-        invoke-rc.d ssh restart >/dev/null 2>&1 || true
-fi
-exit 0
diff --git a/debian/openssh-server.install b/debian/openssh-server.install
index 5ca921cca..e0cc13cec 100755
--- a/debian/openssh-server.install
+++ b/debian/openssh-server.install
@@ -8,7 +8,6 @@ usr/share/man/man8/sshd.8
 sshd_config => usr/share/openssh/sshd_config
 debian/openssh-server.ucf-md5sum => usr/share/openssh/sshd_config.md5sum
-debian/openssh-server.if-up => etc/network/if-up.d/openssh-server
 debian/openssh-server.ufw.profile => etc/ufw/applications.d/openssh-server
 debian/systemd/ssh.socket lib/systemd/system
 debian/systemd/rescue-ssh.target lib/systemd/system
diff --git a/debian/openssh-server.maintscript b/debian/openssh-server.maintscript
index 17a4c2787..c721fdb48 100644
--- a/debian/openssh-server.maintscript
+++ b/debian/openssh-server.maintscript
@@ -1,2 +1,3 @@
 mv_conffile /etc/pam.d/ssh /etc/pam.d/sshd 1:4.7p1-4~
 rm_conffile /etc/init/ssh.conf 1:7.5p1-6~
+rm_conffile /etc/network/if-up.d/openssh-server 1:7.9p1-1~
author	Colin Watson <cjwatson@debian.org>	2018-10-21 10:36:27 +0100
committer	Colin Watson <cjwatson@debian.org>	2018-10-21 10:38:28 +0100
commit	02b3fee8901679a5e058f66691067675208a4ae5 (patch)
tree	4285b09ce6cfd3226b1890972666015cb4aa030d
parent	2df9bff12640a33749f0f20ae806b6efac327116 (diff)