Stop enabling ssh-session-cleanup.service by default; instead, ship it as an example and add a section to README.Debian. libpam-systemd >= 230 and "UsePAM yes" should take care of the original problem for most systemd users (thanks, Michael Biebl; closes: #832155).

5 files changed, 29 insertions, 7 deletions

diff --git a/debian/README.Debian b/debian/README.Debian
index d26e5a39d..f0e5bea24 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -232,6 +232,25 @@ it listen on a different address or port, then you will need to do this by
 copying /lib/systemd/system/ssh.socket to /etc/systemd/system/ssh.socket and
 modifying the ListenStream option.  See systemd.socket(5) for details.
 
+Terminating SSH sessions cleanly on shutdown/reboot with systemd
+----------------------------------------------------------------
+
+If you have libpam-systemd >= 230 installed (following openssh-server's
+Recommends) and "UsePAM yes" in sshd_config (the default configuration
+shipped by this package), then SSH sessions will be terminated cleanly when
+the server is shut down or rebooted.
+
+If either of these conditions does not hold, then you may find that SSH
+sessions hang silently when the server is shut down or rebooted.  If you do
+not want to use PAM or configure it properly for whatever reason, then you
+can instead copy
+/usr/share/doc/openssh-server/examples/ssh-session-cleanup.service to
+/etc/systemd/system/ and run "systemctl enable ssh-session-cleanup.service".
+
+Non-systemd users may find /usr/lib/openssh/ssh-session-cleanup helpful if
+they have a similar problem, although at present there is no system
+integration for this for anything other than systemd.
+
 -- 
 Matthew Vernon <matthew@debian.org>
 Colin Watson <cjwatson@debian.org>
diff --git a/debian/changelog b/debian/changelog
index e81c667cc..0977bc8c9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openssh (1:7.2p2-8) UNRELEASED; urgency=medium
+
+  * Stop enabling ssh-session-cleanup.service by default; instead, ship it
+    as an example and add a section to README.Debian.  libpam-systemd >= 230
+    and "UsePAM yes" should take care of the original problem for most
+    systemd users (thanks, Michael Biebl; closes: #832155).
+
+ -- Colin Watson <cjwatson@debian.org>  Thu, 28 Jul 2016 22:04:37 +0100
+
 openssh (1:7.2p2-7) unstable; urgency=medium
 
   * Don't stop the ssh-session-cleanup service on upgrade (closes: #832155).
diff --git a/debian/openssh-server.examples b/debian/openssh-server.examples
index 0d0e55a7a..ef6eb5468 100644
--- a/debian/openssh-server.examples
+++ b/debian/openssh-server.examples
@@ -1 +1,2 @@
 sshd_config
+debian/systemd/ssh-session-cleanup.service
diff --git a/debian/openssh-server.install b/debian/openssh-server.install
index dabc440ab..f696de231 100755
--- a/debian/openssh-server.install
+++ b/debian/openssh-server.install
@@ -11,7 +11,6 @@ debian/systemd/ssh.socket lib/systemd/system
 debian/systemd/ssh@.service lib/systemd/system
 debian/systemd/sshd.conf usr/lib/tmpfiles.d
 debian/systemd/ssh-session-cleanup usr/lib/openssh
-debian/systemd/ssh-session-cleanup.service lib/systemd/system
 
 # dh_apport would be neater, but at the time of writing it isn't in unstable
 # yet.
diff --git a/debian/rules b/debian/rules
index 540418e7b..3a8c86cdc 100755
--- a/debian/rules
+++ b/debian/rules
@@ -215,12 +215,6 @@ override_dh_installdocs:
 override_dh_systemd_enable:
         dh_systemd_enable -popenssh-server --name ssh ssh.service
         dh_systemd_enable -popenssh-server --name ssh --no-enable ssh.socket
-        dh_systemd_enable -popenssh-server --name ssh-session-cleanup \
-                ssh-session-cleanup.service
-
-override_dh_systemd_start:
-        dh_systemd_start -popenssh-server --no-restart-on-upgrade \
-                ssh-session-cleanup.service
 
 override_dh_installinit:
         dh_installinit -R --name ssh