Hi - not sure if anyone saw this last time around so I figured I'd echeck in again - it's about:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778913 openssh-server: init (at least systemd) doesn't notice when sshd fails and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751636 ssh sessions are not cleanly terminated on shutdown/restart with systemd The former has been fixed in 1:7.2p2-5 - I've done a little digging into the latter and think what'as going on is the following: - If libpam-systemd (optional) is installed, and sshd is configured to use PAM (the default) then ssh logins are registered with logind and killed early enough that 751636 doesn't crop up. - If sshd is not hooked up to PAM, or common-session in PAM doesn't use libpam-systemd (it's optional there too in the default config) then ssh logins aren't managed this way, and live on past the network being deconfigured. I've dealt with this in the attached debdiff by adding a systemd service which is "After" network-online.target which reaps ssh login sessions (but not the main sshd). This seems to deal with the problem described in the bug, and does not kill ssh sessions when (for example) restarting the network. Would you be amenable to accepting the latter fix and uploading the openssh package to bpo? If you don't like the fix for the session termination timing, is there a different approach that you would prefer?
diff -Nru openssh-7.2p2/debian/changelog openssh-7.2p2/debian/changelog --- openssh-7.2p2/debian/changelog 2016-04-28 01:52:02.000000000 +0100 +++ openssh-7.2p2/debian/changelog 2016-05-25 18:08:20.000000000 +0100 @@ -1,3 +1,12 @@ +openssh (1:7.2p2-6) unstable; urgency=medium + + * Add a session cleanup script and systemd unit file to trigger it. + * Terminates non-PAM ssh sessions cleanly (such sessions only occur + if libpam-systemd is not installed and/or sshd is configured not to + use PAM (closes: #751636) + + -- Vivek Das??Mohapatra <[email protected]> Wed, 25 May 2016 18:08:19 +0100 + openssh (1:7.2p2-5) unstable; urgency=medium * Backport upstream patch to unbreak authentication using lone certificate diff -Nru openssh-7.2p2/debian/openssh-server.install openssh-7.2p2/debian/openssh-server.install --- openssh-7.2p2/debian/openssh-server.install 2016-04-28 01:46:06.000000000 +0100 +++ openssh-7.2p2/debian/openssh-server.install 2016-05-25 18:49:31.000000000 +0100 @@ -9,8 +9,11 @@ debian/openssh-server.ufw.profile => etc/ufw/applications.d/openssh-server debian/systemd/ssh.socket lib/systemd/system debian/systemd/[email protected] lib/systemd/system +debian/systemd/ssh-cleanup.service lib/systemd/system debian/systemd/sshd.conf usr/lib/tmpfiles.d +contrib/ssh-session-cleanup usr/lib/openssh + # dh_apport would be neater, but at the time of writing it isn't in unstable # yet. debian/openssh-server.apport => usr/share/apport/package-hooks/openssh-server.py diff -Nru openssh-7.2p2/debian/patches/series openssh-7.2p2/debian/patches/series --- openssh-7.2p2/debian/patches/series 2016-04-28 01:46:10.000000000 +0100 +++ openssh-7.2p2/debian/patches/series 2016-05-25 17:35:05.000000000 +0100 @@ -27,3 +27,4 @@ debian-config.patch CVE-2015-8325.patch unbreak-certificate-auth.patch +terminate-non-pam-sessions-cleanly.patch diff -Nru openssh-7.2p2/debian/patches/terminate-non-pam-sessions-cleanly.patch openssh-7.2p2/debian/patches/terminate-non-pam-sessions-cleanly.patch --- openssh-7.2p2/debian/patches/terminate-non-pam-sessions-cleanly.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-7.2p2/debian/patches/terminate-non-pam-sessions-cleanly.patch 2016-05-25 17:36:13.000000000 +0100 @@ -0,0 +1,24 @@ +--- /dev/null ++++ b/contrib/ssh-session-cleanup +@@ -0,0 +1,21 @@ ++#!/bin/sh ++ ++ssh_session_pattern='sshd:\ \S.*@pts/[0-9]+' ++ ++IFS="$IFS@"; ++pgrep -a -f "$ssh_session_pattern" | while read pid daemon user pty; ++do ++ echo "Found non-PAM ${daemon%:} session $pid on $pty, sending SIGTERM"; ++done; ++ ++pkill -f "$ssh_session_pattern"; ++ ++ecode=$?; ++ ++if [ $ecode -eq 1 ]; ++then ++ echo "No non-PAM ssh sessions found"; ++ ecode=0; ++fi; ++ ++exit $ecode; diff -Nru openssh-7.2p2/debian/rules openssh-7.2p2/debian/rules --- openssh-7.2p2/debian/rules 2016-04-28 01:46:06.000000000 +0100 +++ openssh-7.2p2/debian/rules 2016-05-25 17:50:34.000000000 +0100 @@ -215,6 +215,7 @@ override_dh_systemd_enable: dh_systemd_enable -popenssh-server --name ssh ssh.service dh_systemd_enable -popenssh-server --name ssh --no-enable ssh.socket + dh_systemd_enable -popenssh-server --name ssh-cleanup ssh-cleanup.service override_dh_installinit: dh_installinit -R --name ssh @@ -232,6 +233,7 @@ override_dh_fixperms-arch: dh_fixperms chmod u+s debian/openssh-client/usr/lib/openssh/ssh-keysign + chmod 0755 debian/openssh-server/usr/lib/openssh/ssh-session-cleanup # Tighten libssl dependencies to match the check in entropy.c. override_dh_shlibdeps: diff -Nru openssh-7.2p2/debian/systemd/ssh-cleanup.service openssh-7.2p2/debian/systemd/ssh-cleanup.service --- openssh-7.2p2/debian/systemd/ssh-cleanup.service 1970-01-01 01:00:00.000000000 +0100 +++ openssh-7.2p2/debian/systemd/ssh-cleanup.service 2016-05-25 17:21:42.000000000 +0100 @@ -0,0 +1,13 @@ +[Unit] +Description=OpenBSD Secure Shell Session Cleanup +After=network-online.target +Wants=network-online.target + +[Service] +ExecStart=/bin/true +ExecStop=/usr/lib/openssh/ssh-session-cleanup +RemainAfterExit=yes +Type=oneshot + +[Install] +RequiredBy=multi-user.target
