From 13905124bd7eeb0aa8b62ec6a230603eed7cbca1 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 26 Aug 2024 09:59:59 +0200 Subject: Merging debian version 1:9.8p1-2. Signed-off-by: Daniel Baumann --- debian/.git-dpm | 4 ++-- debian/changelog | 10 ++++++++ debian/patches/authorized-keys-man-symlink.patch | 2 +- debian/patches/configure-cache-vars.patch | 2 +- debian/patches/debian-banner.patch | 4 ++-- debian/patches/debian-config.patch | 2 +- debian/patches/dnssec-sshfp.patch | 2 +- debian/patches/doc-hash-tab-completion.patch | 2 +- debian/patches/gnome-ssh-askpass2-icon.patch | 2 +- debian/patches/keepalive-extensions.patch | 2 +- debian/patches/maxhostnamelen.patch | 2 +- .../patches/mention-ssh-keygen-on-keychange.patch | 2 +- debian/patches/no-openssl-version-status.patch | 2 +- debian/patches/openbsd-docs.patch | 2 +- debian/patches/package-versioning.patch | 2 +- debian/patches/pam-avoid-unknown-host.patch | 2 +- debian/patches/regress-conch-dev-zero.patch | 2 +- debian/patches/restore-authorized_keys2.patch | 2 +- debian/patches/restore-tcp-wrappers.patch | 8 +++---- debian/patches/revert-ipqos-defaults.patch | 2 +- debian/patches/scp-quoting.patch | 2 +- debian/patches/selinux-role.patch | 4 ++-- debian/patches/shell-path.patch | 2 +- debian/patches/skip-utimensat-test-on-zfs.patch | 2 +- debian/patches/ssh-agent-setgid.patch | 2 +- debian/patches/ssh-argv0.patch | 2 +- debian/patches/ssh-vulnkey-compat.patch | 2 +- debian/patches/syslog-level-silent.patch | 2 +- debian/patches/systemd-socket-activation.patch | 19 +++++++++++---- debian/patches/user-group-modes.patch | 2 +- debian/tests/control | 10 ++++++++ debian/tests/socket-activation | 27 ++++++++++++++++++++++ 32 files changed, 95 insertions(+), 39 deletions(-) create mode 100755 debian/tests/socket-activation diff --git a/debian/.git-dpm b/debian/.git-dpm index 14852c6..41261a9 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -7406e666efe2d19e93cf6f50735b3a927bc3dfce -7406e666efe2d19e93cf6f50735b3a927bc3dfce +97c671bccd4f923e2bb814516ad7bf1d9261709c +97c671bccd4f923e2bb814516ad7bf1d9261709c 725afb3e99dbbda1d8c34a3dfc031dc9b0bb5dbe 725afb3e99dbbda1d8c34a3dfc031dc9b0bb5dbe openssh_9.8p1.orig.tar.gz diff --git a/debian/changelog b/debian/changelog index ab1776a..45e000d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +openssh (1:9.8p1-2) unstable; urgency=medium + + * Don't close sockets passed by systemd socket activation (closes: + #1077765). + * Add an autopkgtest for socket activation. + * Consult /etc/hosts.{allow,deny} as "sshd", not "sshd-session" (closes: + #1077799). + + -- Colin Watson Fri, 02 Aug 2024 17:08:58 +0100 + openssh (1:9.8p1-1~progress7.99u1) graograman-backports; urgency=medium * Uploading to graograman-backports, remaining changes: diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index 2d8f535..e014ae5 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch @@ -1,4 +1,4 @@ -From 7f7594950af2dac444ade5023a88acaa157d4824 Mon Sep 17 00:00:00 2001 +From fa2050cccface30a90effecf902ac69779e684a5 Mon Sep 17 00:00:00 2001 From: Tomas Pospisek Date: Sun, 9 Feb 2014 16:10:07 +0000 Subject: Install authorized_keys(5) as a symlink to sshd(8) diff --git a/debian/patches/configure-cache-vars.patch b/debian/patches/configure-cache-vars.patch index 0ec03e7..86481d7 100644 --- a/debian/patches/configure-cache-vars.patch +++ b/debian/patches/configure-cache-vars.patch @@ -1,4 +1,4 @@ -From 569bdb6931b8dba91036cf8dce41b56ca343e10f Mon Sep 17 00:00:00 2001 +From 322f3ff14422182dff32e0dc51c1d0b23b8cba0e Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Wed, 3 Apr 2024 11:52:04 +0100 Subject: Add Autoconf cache variables for OSSH_CHECK_*FLAG_* diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index fd69273..fd0443b 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch @@ -1,4 +1,4 @@ -From be94b157653742db3310bc565356a8e553bfd741 Mon Sep 17 00:00:00 2001 +From 6bed4d1be79474891ebaa62259919f14acf28273 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 9 Feb 2014 16:10:06 +0000 Subject: Add DebianBanner server configuration option @@ -140,7 +140,7 @@ index cbfc20735..f9d3a1ff2 100644 /* Put the connection into non-blocking mode. */ diff --git a/sshd-session.c b/sshd-session.c -index f0fd85367..1f38a0de9 100644 +index b6e544108..2a512dd74 100644 --- a/sshd-session.c +++ b/sshd-session.c @@ -1303,7 +1303,7 @@ main(int ac, char **av) diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 2add806..ee3b297 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch @@ -1,4 +1,4 @@ -From 72b01845849043dbf3edde4d0b1a728ff05d8630 Mon Sep 17 00:00:00 2001 +From 8b067a754bdeac8fcdab1fbb2010651cf07b1b61 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:18 +0000 Subject: Various Debian-specific configuration changes diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index a2164e0..6e78215 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch @@ -1,4 +1,4 @@ -From 022ab25237b3da32705eb88d74f01590ca121625 Mon Sep 17 00:00:00 2001 +From 0d8aedb659c1c3892a9ba071ea003530ea8ca1b3 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:01 +0000 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index 4963bcd..3c2b05b 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch @@ -1,4 +1,4 @@ -From 51e122be591845078beddc2aa6734d83d4fbe7a1 Mon Sep 17 00:00:00 2001 +From cceb89a954534c1bed67d20613fe8aa82bec37e4 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:11 +0000 Subject: Document that HashKnownHosts may break tab-completion diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch index a32dac4..b10014b 100644 --- a/debian/patches/gnome-ssh-askpass2-icon.patch +++ b/debian/patches/gnome-ssh-askpass2-icon.patch @@ -1,4 +1,4 @@ -From 63d6710f076590ec1672e95d19a2fced8bd34189 Mon Sep 17 00:00:00 2001 +From fac5d188210df34ace8c8f1f6f47c2a72e01c535 Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Sun, 9 Feb 2014 16:10:16 +0000 Subject: Give the ssh-askpass-gnome window a default icon diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index a828ce2..a5f8c57 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch @@ -1,4 +1,4 @@ -From fb7c10aae7ed2d9216b16ae5e172f45a2bdcd336 Mon Sep 17 00:00:00 2001 +From 92c7e83658c40484aa7a0fa977a45de38461beef Mon Sep 17 00:00:00 2001 From: Richard Kettlewell Date: Sun, 9 Feb 2014 16:09:52 +0000 Subject: Various keepalive extensions diff --git a/debian/patches/maxhostnamelen.patch b/debian/patches/maxhostnamelen.patch index d7f37fc..af2bf16 100644 --- a/debian/patches/maxhostnamelen.patch +++ b/debian/patches/maxhostnamelen.patch @@ -1,4 +1,4 @@ -From 95b7dc366c3f27e7bd524a64bae2754eef9935d5 Mon Sep 17 00:00:00 2001 +From 5ffb02dd0478b1ceb24dd356d0ccad7cb7ec728b Mon Sep 17 00:00:00 2001 From: Svante Signell Date: Fri, 5 Nov 2021 23:22:53 +0000 Subject: Define MAXHOSTNAMELEN on GNU/Hurd diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index 4c2aab3..393de6f 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch @@ -1,4 +1,4 @@ -From 63207b21b9f33cf60e79a9c0484e609c5bf4c08b Mon Sep 17 00:00:00 2001 +From 1c3c2c02b1d68675b121d87d1ffee84113659c93 Mon Sep 17 00:00:00 2001 From: Scott Moser Date: Sun, 9 Feb 2014 16:10:03 +0000 Subject: Mention ssh-keygen in ssh fingerprint changed warning diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch index 4f937be..3f2ca27 100644 --- a/debian/patches/no-openssl-version-status.patch +++ b/debian/patches/no-openssl-version-status.patch @@ -1,4 +1,4 @@ -From 302f656d6976c077f55f75a339f63b0c30a6c447 Mon Sep 17 00:00:00 2001 +From d03bde90030a339d7e4e39273cb3eadadfb99320 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Sun, 9 Feb 2014 16:10:14 +0000 Subject: Don't check the status field of the OpenSSL version diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index dfbbade..8774599 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch @@ -1,4 +1,4 @@ -From 8fb4b76677be4fdb1ce0e45148b4c2d40f177964 Mon Sep 17 00:00:00 2001 +From 169d164b95c9f068cbf5fc9860029690f9bf19d3 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:09 +0000 Subject: Adjust various OpenBSD-specific references in manual pages diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index dd905fc..0caca0d 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch @@ -1,4 +1,4 @@ -From 4d194d912805d3314bd610cca3eca2e6a927ab7f Mon Sep 17 00:00:00 2001 +From 184037a22103428f83d1e8d14c09631aef14dc2f Mon Sep 17 00:00:00 2001 From: Matthew Vernon Date: Sun, 9 Feb 2014 16:10:05 +0000 Subject: Include the Debian version in our identification diff --git a/debian/patches/pam-avoid-unknown-host.patch b/debian/patches/pam-avoid-unknown-host.patch index f034a8d..8c8d78a 100644 --- a/debian/patches/pam-avoid-unknown-host.patch +++ b/debian/patches/pam-avoid-unknown-host.patch @@ -1,4 +1,4 @@ -From 7406e666efe2d19e93cf6f50735b3a927bc3dfce Mon Sep 17 00:00:00 2001 +From 97c671bccd4f923e2bb814516ad7bf1d9261709c Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Mon, 20 Mar 2023 20:22:14 +0100 Subject: Only set PAM_RHOST if the remote host is not "UNKNOWN" diff --git a/debian/patches/regress-conch-dev-zero.patch b/debian/patches/regress-conch-dev-zero.patch index a1f8670..95f7aab 100644 --- a/debian/patches/regress-conch-dev-zero.patch +++ b/debian/patches/regress-conch-dev-zero.patch @@ -1,4 +1,4 @@ -From 5f5e44903a2dbd0381d4395e53444d17b2d1b494 Mon Sep 17 00:00:00 2001 +From e3d47eadb58dda63a125eecaa722ce7891c75356 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 31 Mar 2024 00:24:11 +0000 Subject: regress: Redirect conch stdin from /dev/zero diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch index 015efa8..b061307 100644 --- a/debian/patches/restore-authorized_keys2.patch +++ b/debian/patches/restore-authorized_keys2.patch @@ -1,4 +1,4 @@ -From 48001bae6c31c7d0e1c73a134456ccd109041892 Mon Sep 17 00:00:00 2001 +From 69f63b1e4919e4a51cb199fa81fa318bc517bbd2 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 5 Mar 2017 02:02:11 +0000 Subject: Restore reading authorized_keys2 by default diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch index 7ea30ff..fdd3c61 100644 --- a/debian/patches/restore-tcp-wrappers.patch +++ b/debian/patches/restore-tcp-wrappers.patch @@ -1,4 +1,4 @@ -From 33df9974b50dda9718f7e31ca8568432edd97168 Mon Sep 17 00:00:00 2001 +From 0ff8d4f5356adbdebdbdbf951713d22b1e8e264e Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 7 Oct 2014 13:22:41 +0100 Subject: Restore TCP wrappers support @@ -18,7 +18,7 @@ but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed -Last-Update: 2024-07-03 +Last-Update: 2024-08-02 Patch-Name: restore-tcp-wrappers.patch --- @@ -103,7 +103,7 @@ index dc274329f..f6bca2631 100644 echo " libldns support: $LDNS_MSG" echo " Solaris process contract support: $SPC_MSG" diff --git a/sshd-session.c b/sshd-session.c -index ab88db7c5..a9fa63224 100644 +index ab88db7c5..dff1fefbe 100644 --- a/sshd-session.c +++ b/sshd-session.c @@ -110,6 +110,13 @@ @@ -131,7 +131,7 @@ index ab88db7c5..a9fa63224 100644 + if (ssh_packet_connection_is_on_socket(ssh)) { + struct request_info req; + -+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); ++ request_init(&req, RQ_DAEMON, "sshd", RQ_FILE, sock_in, 0); + fromhost(&req); + + if (!hosts_access(&req)) { diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch index 6a19674..2758571 100644 --- a/debian/patches/revert-ipqos-defaults.patch +++ b/debian/patches/revert-ipqos-defaults.patch @@ -1,4 +1,4 @@ -From 32d1b39b53a11db1efbb6ac84ea589bc7b699e35 Mon Sep 17 00:00:00 2001 +From 91663a43be78a3b33c0cc055033d648269a4f98c Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 8 Apr 2019 10:46:29 +0100 Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index 2a6fb1f..2c64f53 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch @@ -1,4 +1,4 @@ -From 2dd3363f6032ac203829e941bdac111e1dcf7012 Mon Sep 17 00:00:00 2001 +From 75bbbbd155147a06ebf5bcc1b2ae9bf08c127cf0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= Date: Sun, 9 Feb 2014 16:09:59 +0000 Subject: Adjust scp quoting in verbose mode diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index c160e00..c481c3b 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch @@ -1,4 +1,4 @@ -From 1b327bbfa9728e3e2f9ec02371b94069c9664f2f Mon Sep 17 00:00:00 2001 +From 1003c8e9926862f7f01fad4a9004766aa47948d1 Mon Sep 17 00:00:00 2001 From: Manoj Srivastava Date: Sun, 9 Feb 2014 16:09:49 +0000 Subject: Handle SELinux authorisation roles @@ -414,7 +414,7 @@ index 344a1ddf9..20ea822a7 100644 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); diff --git a/sshd-session.c b/sshd-session.c -index a9fa63224..f0fd85367 100644 +index dff1fefbe..b6e544108 100644 --- a/sshd-session.c +++ b/sshd-session.c @@ -438,7 +438,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index 8bb7463..0fb8602 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch @@ -1,4 +1,4 @@ -From 71863958087495c9d4a4c83ca6e3fbed58ae4e81 Mon Sep 17 00:00:00 2001 +From 693e1ad72a8bc084f804451beaad6f941921b435 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:00 +0000 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand diff --git a/debian/patches/skip-utimensat-test-on-zfs.patch b/debian/patches/skip-utimensat-test-on-zfs.patch index c6cf03c..5a9a489 100644 --- a/debian/patches/skip-utimensat-test-on-zfs.patch +++ b/debian/patches/skip-utimensat-test-on-zfs.patch @@ -1,4 +1,4 @@ -From 2c0e4142af77c5c70cc81a87f5d263cef3c73ac2 Mon Sep 17 00:00:00 2001 +From 1cf8791cab882050d43f539da1464eb308eca92e Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 11 Mar 2024 16:24:49 +0000 Subject: Skip utimensat test on ZFS diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch index 04b283a..4c5641e 100644 --- a/debian/patches/ssh-agent-setgid.patch +++ b/debian/patches/ssh-agent-setgid.patch @@ -1,4 +1,4 @@ -From 0b96d5e106fc2e4bc1ff04c7527c731f1a0d0aea Mon Sep 17 00:00:00 2001 +From 2e73396b1e30fed205ad9daf4575f26e24b6cf63 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:13 +0000 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 6679961..7b45493 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch @@ -1,4 +1,4 @@ -From 9d91d0ec92d7b3e6cd5404fa447fc9eea35bb870 Mon Sep 17 00:00:00 2001 +From b53a7a6dc0eb0375ef367780fd66c86e182bc67c Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:10 +0000 Subject: ssh(1): Refer to ssh-argv0(1) diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch index d0c82ea..b63fe3c 100644 --- a/debian/patches/ssh-vulnkey-compat.patch +++ b/debian/patches/ssh-vulnkey-compat.patch @@ -1,4 +1,4 @@ -From 996f025eb2f6521e3fb4a7b527ec4eaceebe8156 Mon Sep 17 00:00:00 2001 +From 127ffecd39fa5f1b61506e6060c4a4cdec64f019 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:09:50 +0000 Subject: Accept obsolete ssh-vulnkey configuration options diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index d6f5d84..e32e7fd 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch @@ -1,4 +1,4 @@ -From 0b5e808eb7513943a5270563729da56c66ece9ad Mon Sep 17 00:00:00 2001 +From 297eb3e9ae97bdd2e944efd9fdbdcf7f78514b79 Mon Sep 17 00:00:00 2001 From: Natalie Amery Date: Sun, 9 Feb 2014 16:09:54 +0000 Subject: "LogLevel SILENT" compatibility diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch index bd7aca3..7a9c0ca 100644 --- a/debian/patches/systemd-socket-activation.patch +++ b/debian/patches/systemd-socket-activation.patch @@ -1,4 +1,4 @@ -From 496d8d99583423c054311e85738102a5d9185016 Mon Sep 17 00:00:00 2001 +From 05c8e02a8f6df17722a95fc11cf315865f90e024 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Thu, 1 Sep 2022 16:03:37 +0100 Subject: Support systemd socket activation @@ -10,13 +10,13 @@ of the sshd daemon without becoming incompatible with config options like ClientAliveCountMax. Author: Colin Watson -Last-Update: 2024-07-03 +Last-Update: 2024-08-02 Patch-Name: systemd-socket-activation.patch --- configure.ac | 1 + - sshd.c | 131 +++++++++++++++++++++++++++++++++++++++++++++------ - 2 files changed, 118 insertions(+), 14 deletions(-) + sshd.c | 133 +++++++++++++++++++++++++++++++++++++++++++++------ + 2 files changed, 119 insertions(+), 15 deletions(-) diff --git a/configure.ac b/configure.ac index f6bca2631..ee6aca972 100644 @@ -31,7 +31,7 @@ index f6bca2631..ee6aca972 100644 case `uname -r` in 1.*|2.0.*) diff --git a/sshd.c b/sshd.c -index 54c65dfe6..bc0127c9c 100644 +index 54c65dfe6..51d5357b9 100644 --- a/sshd.c +++ b/sshd.c @@ -93,10 +93,18 @@ @@ -194,3 +194,12 @@ index 54c65dfe6..bc0127c9c 100644 if (!num_listen_socks) fatal("Cannot bind any address."); } +@@ -1344,7 +1447,7 @@ main(int ac, char **av) + if (!test_flag && !do_dump_cfg && !path_absolute(av[0])) + fatal("sshd requires execution with an absolute path"); + +- closefrom(STDERR_FILENO + 1); ++ closefrom(STDERR_FILENO + 1 + SYSTEMD_OFFSET); + + /* Reserve fds we'll need later for reexec things */ + if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index 194c730..b649927 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch @@ -1,4 +1,4 @@ -From 04ef461f5d8a7ec8840db50ccb841aaa26687b6e Mon Sep 17 00:00:00 2001 +From c02212390140a127d47873d8d27081466bd5daeb Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:09:58 +0000 Subject: Allow harmless group-writability diff --git a/debian/tests/control b/debian/tests/control index f7c0afb..0f5a493 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -25,3 +25,13 @@ Depends: krb5-admin-server, krb5-kdc, openssh-server, + +Tests: + socket-activation, +Restrictions: + allow-stderr, + isolation-container, + needs-root, +Depends: + openssh-server, + sudo, diff --git a/debian/tests/socket-activation b/debian/tests/socket-activation new file mode 100755 index 0000000..20a0d0b --- /dev/null +++ b/debian/tests/socket-activation @@ -0,0 +1,27 @@ +#! /bin/sh +set -e + +testuser="testuser$$" +adduser --quiet --disabled-password --gecos "" "$testuser" +sudo -u "$testuser" mkdir -m700 "/home/$testuser/.ssh" +sudo -u "$testuser" \ + ssh-keygen -t ed25519 -N '' -f "/home/$testuser/.ssh/id_ed25519" +sudo -u "$testuser" \ + cp "/home/$testuser/.ssh/id_ed25519.pub" \ + "/home/$testuser/.ssh/authorized_keys" + +cleanup () { + if [ $? -ne 0 ]; then + echo "## Something failed" + echo + echo "## ssh server log" + journalctl -b -u ssh.service --lines 100 + fi +} + +trap cleanup EXIT + +systemctl disable --now ssh.service +systemctl enable --now ssh.socket +sudo -u "$testuser" \ + ssh -oStrictHostKeyChecking=accept-new "$testuser@localhost" date -- cgit v1.2.3