diff options
-rw-r--r-- | debian/README.Debian | 21 | ||||
-rw-r--r-- | debian/changelog | 5 | ||||
-rw-r--r-- | debian/openssh-server.if-up | 42 | ||||
-rwxr-xr-x | debian/openssh-server.install | 1 | ||||
-rw-r--r-- | debian/openssh-server.maintscript | 1 |
5 files changed, 27 insertions, 43 deletions
diff --git a/debian/README.Debian b/debian/README.Debian index 58a5741b0..48f42c4e8 100644 --- a/debian/README.Debian +++ b/debian/README.Debian | |||
@@ -249,6 +249,27 @@ options related to it are now deprecated and should be removed from | |||
249 | The Protocol option is also no longer needed, although it is silently | 249 | The Protocol option is also no longer needed, although it is silently |
250 | ignored rather than deprecated. | 250 | ignored rather than deprecated. |
251 | 251 | ||
252 | if-up hook removed | ||
253 | ------------------ | ||
254 | |||
255 | openssh-server previously shipped an if-up hook that restarted sshd when a | ||
256 | network interface came up. This generally caused more problems than it | ||
257 | solved: for instance, it means that sshd stops listening briefly while being | ||
258 | restarted, which can cause problems in some environments, particularly | ||
259 | automated tests. | ||
260 | |||
261 | The only known situation where the if-up hook was useful was when | ||
262 | sshd_config was changed to add ListenAddress entries for particular IP | ||
263 | addresses, overriding the default of listening on all addresses, and the | ||
264 | system is one that often roams between networks. In such a situation, it is | ||
265 | better to remove ListenAddress entries from sshd_config (restoring it to the | ||
266 | default behaviour) and instead use firewall rules to restrict incoming SSH | ||
267 | connections to only the desired interfaces or addresses. | ||
268 | |||
269 | For further discussion, see: | ||
270 | |||
271 | https://bugs.launchpad.net/bugs/1674330 | ||
272 | |||
252 | -- | 273 | -- |
253 | Matthew Vernon <matthew@debian.org> | 274 | Matthew Vernon <matthew@debian.org> |
254 | Colin Watson <cjwatson@debian.org> | 275 | Colin Watson <cjwatson@debian.org> |
diff --git a/debian/changelog b/debian/changelog index 42fd29b8a..fef13055d 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -55,6 +55,11 @@ openssh (1:7.9p1-1) UNRELEASED; urgency=medium | |||
55 | * Remove dh_builddeb override to use xz compression; this has been the | 55 | * Remove dh_builddeb override to use xz compression; this has been the |
56 | default since dpkg 1.17.0. | 56 | default since dpkg 1.17.0. |
57 | * Simplify debian/rules using /usr/share/dpkg/default.mk. | 57 | * Simplify debian/rules using /usr/share/dpkg/default.mk. |
58 | * Remove /etc/network/if-up.d/openssh-server, as it causes more problems | ||
59 | than it solves (thanks, Christian Ehrhardt, Andreas Hasenack, and David | ||
60 | Britton; closes: #789532, LP: #1037738, #1674330, #1718227). Add an | ||
61 | "if-up hook removed" section to README.Debian documenting the corner | ||
62 | case that may need configuration adjustments. | ||
58 | 63 | ||
59 | -- Colin Watson <cjwatson@debian.org> Fri, 19 Oct 2018 21:34:47 +0100 | 64 | -- Colin Watson <cjwatson@debian.org> Fri, 19 Oct 2018 21:34:47 +0100 |
60 | 65 | ||
diff --git a/debian/openssh-server.if-up b/debian/openssh-server.if-up deleted file mode 100644 index 525c2153b..000000000 --- a/debian/openssh-server.if-up +++ /dev/null | |||
@@ -1,42 +0,0 @@ | |||
1 | #! /bin/sh | ||
2 | # Reload the OpenSSH server when an interface comes up, to allow it to start | ||
3 | # listening on new addresses. | ||
4 | |||
5 | set -e | ||
6 | |||
7 | # Don't bother to restart sshd when lo is configured. | ||
8 | if [ "$IFACE" = lo ]; then | ||
9 | exit 0 | ||
10 | fi | ||
11 | |||
12 | # Only run from ifup. | ||
13 | if [ "$MODE" != start ]; then | ||
14 | exit 0 | ||
15 | fi | ||
16 | |||
17 | # OpenSSH only cares about inet and inet6. Get ye gone, strange people | ||
18 | # still using ipx. | ||
19 | if [ "$ADDRFAM" != inet ] && [ "$ADDRFAM" != inet6 ]; then | ||
20 | exit 0 | ||
21 | fi | ||
22 | |||
23 | # Is /usr mounted? | ||
24 | if [ ! -e /usr/sbin/sshd ]; then | ||
25 | exit 0 | ||
26 | fi | ||
27 | |||
28 | if [ ! -f /run/sshd.pid ] || \ | ||
29 | [ "$(ps -p "$(cat /run/sshd.pid)" -o comm=)" != sshd ]; then | ||
30 | exit 0 | ||
31 | fi | ||
32 | |||
33 | # We'd like to use 'reload' here, but it has some problems; see #502444. On | ||
34 | # the other hand, repeated restarts of ssh make systemd unhappy | ||
35 | # (#756547/#757822), so use reload in that case. | ||
36 | if [ -d /run/systemd/system ]; then | ||
37 | systemctl reload --no-block ssh.service >/dev/null 2>&1 || true | ||
38 | else | ||
39 | invoke-rc.d ssh restart >/dev/null 2>&1 || true | ||
40 | fi | ||
41 | |||
42 | exit 0 | ||
diff --git a/debian/openssh-server.install b/debian/openssh-server.install index 5ca921cca..e0cc13cec 100755 --- a/debian/openssh-server.install +++ b/debian/openssh-server.install | |||
@@ -8,7 +8,6 @@ usr/share/man/man8/sshd.8 | |||
8 | sshd_config => usr/share/openssh/sshd_config | 8 | sshd_config => usr/share/openssh/sshd_config |
9 | debian/openssh-server.ucf-md5sum => usr/share/openssh/sshd_config.md5sum | 9 | debian/openssh-server.ucf-md5sum => usr/share/openssh/sshd_config.md5sum |
10 | 10 | ||
11 | debian/openssh-server.if-up => etc/network/if-up.d/openssh-server | ||
12 | debian/openssh-server.ufw.profile => etc/ufw/applications.d/openssh-server | 11 | debian/openssh-server.ufw.profile => etc/ufw/applications.d/openssh-server |
13 | debian/systemd/ssh.socket lib/systemd/system | 12 | debian/systemd/ssh.socket lib/systemd/system |
14 | debian/systemd/rescue-ssh.target lib/systemd/system | 13 | debian/systemd/rescue-ssh.target lib/systemd/system |
diff --git a/debian/openssh-server.maintscript b/debian/openssh-server.maintscript index 17a4c2787..c721fdb48 100644 --- a/debian/openssh-server.maintscript +++ b/debian/openssh-server.maintscript | |||
@@ -1,2 +1,3 @@ | |||
1 | mv_conffile /etc/pam.d/ssh /etc/pam.d/sshd 1:4.7p1-4~ | 1 | mv_conffile /etc/pam.d/ssh /etc/pam.d/sshd 1:4.7p1-4~ |
2 | rm_conffile /etc/init/ssh.conf 1:7.5p1-6~ | 2 | rm_conffile /etc/init/ssh.conf 1:7.5p1-6~ |
3 | rm_conffile /etc/network/if-up.d/openssh-server 1:7.9p1-1~ | ||