Package: openssh-server Version: 1:7.9p1-10+deb10u1 Severity: important Hi,
this just bit me on current stable (Buster) while updating from the security repo: The following packages will be upgraded: openssh-client (1:7.9p1-10 => 1:7.9p1-10+deb10u1) openssh-server (1:7.9p1-10 => 1:7.9p1-10+deb10u1) openssh-sftp-server (1:7.9p1-10 => 1:7.9p1-10+deb10u1) 3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 1.178 kB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://security.debian.org/debian-security buster/updates/main amd64 openssh-sftp-server amd64 1:7.9p1-10+deb10u1 [44,6 kB] Get:2 http://security.debian.org/debian-security buster/updates/main amd64 openssh-server amd64 1:7.9p1-10+deb10u1 [352 kB] Get:3 http://security.debian.org/debian-security buster/updates/main amd64 openssh-client amd64 1:7.9p1-10+deb10u1 [782 kB] Fetched 1.178 kB in 0s (4.945 kB/s) Reading changelogs... Done Preconfiguring packages ... (Reading database ... 498927 files and directories currently installed.) Preparing to unpack .../openssh-sftp-server_1%3a7.9p1-10+deb10u1_amd64.deb ... Unpacking openssh-sftp-server (1:7.9p1-10+deb10u1) over (1:7.9p1-10) ... Preparing to unpack .../openssh-server_1%3a7.9p1-10+deb10u1_amd64.deb ... Unpacking openssh-server (1:7.9p1-10+deb10u1) over (1:7.9p1-10) ... Preparing to unpack .../openssh-client_1%3a7.9p1-10+deb10u1_amd64.deb ... Unpacking openssh-client (1:7.9p1-10+deb10u1) over (1:7.9p1-10) ... Setting up openssh-client (1:7.9p1-10+deb10u1) ... Setting up openssh-sftp-server (1:7.9p1-10+deb10u1) ... Setting up openssh-server (1:7.9p1-10+deb10u1) ... Replacing config file /etc/ssh/sshd_config with new version rescue-ssh.target is a disabled or a static unit, not starting it. Processing triggers for man-db (2.8.5-2) ... Processing triggers for systemd (241-7~deb10u1) ... The important line is the forth from the bottom. Since I have changed the port of SSHD this makes it impossible to open new connections afterwards. I can't believe that making computers secure by essentially disconnecting their admins is the desired behavior of this package (update). Arguably, changing the port back to its default (as in my case) might even increase security risks. ;) AFAIK there is no way to override the settings from the standard config file (by files in a *.d directory as requested in other bug reports). If there is no other (well-documented) workaround I strongly consider this behavior a bug. -- System Information: Debian Release: 10.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (91, 'testing'), (10, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-server depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.71 ii dpkg 1.19.7 ii libaudit1 1:2.8.4-3 ii libc6 2.28-10 ii libcom-err2 1.44.5-1+deb10u2 ii libgssapi-krb5-2 1.17-3 ii libkrb5-3 1.17-3 ii libpam-modules 1.3.1-5 ii libpam-runtime 1.3.1-5 ii libpam0g 1.3.1-5 ii libselinux1 2.8-1+b1 ii libssl1.1 1.1.1d-0+deb10u1 ii libsystemd0 241-7~deb10u1 ii libwrap0 7.6.q-28 ii lsb-base 10.2019051400 ii openssh-client 1:7.9p1-10+deb10u1 ii openssh-sftp-server 1:7.9p1-10+deb10u1 ii procps 2:3.3.15-2 ii ucf 3.0038+nmu1 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages openssh-server recommends: ii libpam-systemd [logind] 241-7~deb10u1 ii ncurses-term 6.1+20181013-2+deb10u1 ii xauth 1:1.0.10-1 Versions of packages openssh-server suggests: pn molly-guard <none> pn monkeysphere <none> pn rssh <none> pn ssh-askpass <none> pn ufw <none> -- debconf information excluded