Add a session cleanup script and a systemd unit file to trigger it, which serves to terminate SSH sessions cleanly if systemd doesn't do that itself, often because libpam-systemd is not installed (thanks, Vivek Das Mohapatra, Tom Hutter, and others; closes: #751636).

5 files changed, 32 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 1e1229042..b2e6d64de 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,10 @@ openssh (1:7.2p2-6) UNRELEASED; urgency=medium
   * Backport upstream patch to close ControlPersist background process
     stderr when not in debug mode or when logging to a file or syslog
     (closes: #714526).
+  * Add a session cleanup script and a systemd unit file to trigger it,
+    which serves to terminate SSH sessions cleanly if systemd doesn't do
+    that itself, often because libpam-systemd is not installed (thanks,
+    Vivek Das Mohapatra, Tom Hutter, and others; closes: #751636).
 
  -- Colin Watson <cjwatson@debian.org>  Sat, 30 Apr 2016 11:29:20 +0100
 
diff --git a/debian/openssh-server.install b/debian/openssh-server.install
index 06e0c71b7..dabc440ab 100755
--- a/debian/openssh-server.install
+++ b/debian/openssh-server.install
@@ -10,6 +10,8 @@ debian/openssh-server.ufw.profile => etc/ufw/applications.d/openssh-server
 debian/systemd/ssh.socket lib/systemd/system
 debian/systemd/ssh@.service lib/systemd/system
 debian/systemd/sshd.conf usr/lib/tmpfiles.d
+debian/systemd/ssh-session-cleanup usr/lib/openssh
+debian/systemd/ssh-session-cleanup.service lib/systemd/system
 
 # dh_apport would be neater, but at the time of writing it isn't in unstable
 # yet.
diff --git a/debian/rules b/debian/rules
index 3a8c86cdc..201fc204b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -215,6 +215,8 @@ override_dh_installdocs:
 override_dh_systemd_enable:
         dh_systemd_enable -popenssh-server --name ssh ssh.service
         dh_systemd_enable -popenssh-server --name ssh --no-enable ssh.socket
+        dh_systemd_enable -popenssh-service --name ssh-session-cleanup \
+                ssh-session-cleanup.service
 
 override_dh_installinit:
         dh_installinit -R --name ssh
diff --git a/debian/systemd/ssh-session-cleanup b/debian/systemd/ssh-session-cleanup
new file mode 100755
index 000000000..f283cc967
--- /dev/null
+++ b/debian/systemd/ssh-session-cleanup
@@ -0,0 +1,11 @@
+#! /bin/sh
+
+ssh_session_pattern='sshd: \S.*@pts/[0-9]+'
+
+IFS="$IFS@"
+pgrep -a -f "$ssh_session_pattern" | while read pid daemon user pty; do
+        echo "Found ${daemon%:} session $pid on $pty; sending SIGTERM"
+        kill "$pid" || true
+done
+
+exit 0
diff --git a/debian/systemd/ssh-session-cleanup.service b/debian/systemd/ssh-session-cleanup.service
new file mode 100644
index 000000000..b86727227
--- /dev/null
+++ b/debian/systemd/ssh-session-cleanup.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=OpenBSD Secure Shell session cleanup
+Wants=network.target
+After=network.target
+
+[Service]
+ExecStart=/bin/true
+ExecStop=/usr/lib/openssh/ssh-session-cleanup
+RemainAfterExit=yes
+Type=oneshot
+
+[Install]
+WantedBy=multi-user.target