Marc's comment #3 seems plausible: stirling:~/ubuntu/Openssh$ lxc exec u18 -- bash root@u18:~# md5sum /etc/ssh/sshd_config 203e9b92fe3623aeba277ee44297f7dd /etc/ssh/sshd_config root@u18:~# grep -c 203e9b92fe3623aeba277ee44297f7dd /usr/share/openssh/sshd_config.md5sum 0 root@u18:~#
Looking at sshd_config on a fresh installed 18.04 lxc and a fresh 20.04, the sshd_config files do indeed differ by exactly the diff shown during upgrade (and provided in comment #2). The md5sum checking was introduced in Debian on Dec 2016 with openssh (1:7.4p1-1) * Start handling /etc/ssh/sshd_config using ucf. The immediate motivation for this is to deal with deprecations of options related to protocol 1, but something like this has been needed for a long time (closes: #419574, #848089): - sshd_config is now a slightly-patched version of upstream's, and only contains non-default settings (closes: #147201). - I've included as many historical md5sums of default versions of sshd_config as I could reconstruct from version control, but I'm sure I've missed some. - Explicitly synchronise the debconf database with the current configuration file state in openssh-server.config, to ensure that the PermitRootLogin setting is properly preserved. - UsePrivilegeSeparation now defaults to the stronger "sandbox" rather than "yes", per upstream. It's implemented in openssh-server.postinst: ... ... sed statements to customize $new_config from upstream for debian ... mkdir -p /etc/ssh ucf --three-way --debconf-ok \ --sum-file /usr/share/openssh/sshd_config.md5sum \ "$new_config" /etc/ssh/sshd_config ucfr openssh-server /etc/ssh/sshd_config AFAICT the /usr/share/openssh/sshd_config.md5sum is identical on freshly lxc'd 18.04 and 20.04. Running the ucf command on a focal lxc container with the 18.04 and 20.04 sshd_config files captured from fresh lxc installs reproduces the same debconf prompt about the changed config, and then issues this output: stirling:~/ubuntu/Openssh/fix-apt-misprompt$ sudo ucf --no-action --three-way --debconf-ok --sum-file /usr/share/openssh/sshd_config.md5sum ./sshd_config.20.04 ./sshd_config.18.04 [sudo] password for bryce: Replacing config file /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04 with new version cp -pf /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04 /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04.ucf-old cp -pf /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04 /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04 cp -pf /var/lib/ucf/hashfile.6 /var/lib/ucf/hashfile.7 cp -pf /var/lib/ucf/hashfile.5 /var/lib/ucf/hashfile.6 cp -pf /var/lib/ucf/hashfile.4 /var/lib/ucf/hashfile.5 cp -pf /var/lib/ucf/hashfile.3 /var/lib/ucf/hashfile.4 cp -pf /var/lib/ucf/hashfile.2 /var/lib/ucf/hashfile.3 cp -pf /var/lib/ucf/hashfile.1 /var/lib/ucf/hashfile.2 cp -pf /var/lib/ucf/hashfile.0 /var/lib/ucf/hashfile.1 cp -pf /var/lib/ucf/hashfile /var/lib/ucf/hashfile.0 (egrep -v "[[:space:]]\/home\/bryce\/ubuntu\/Openssh\/fix\-apt\-misprompt\/sshd_config\.18\.04$" "/var/lib/ucf/hashfile" md5sum "/home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04" | sed "s|/home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04|/home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04|"; ) | sort > "/var/lib/ucf/hashfile" cp -pf /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04 /var/lib/ucf/cache/:home:bryce:ubuntu:Openssh:fix-apt-misprompt:sshd_config.18.04 If I append the bionic sshd_config md5sum to the list and then check against that, no prompt is displayed, with the following output: $ (cat /usr/share/openssh/sshd_config.md5sum; sudo md5sum sshd_config.18.04 | cut -d' ' -f1) > /tmp/sshd_config.md5sum $ sudo ucf --no-action --three-way --debconf-ok --sum-file /tmp/sshd_config.md5sum ./sshd_config.20.04 ./sshd_config.18.04 cp -pf /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04 /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04 cp -pf /var/lib/ucf/hashfile.6 /var/lib/ucf/hashfile.7 cp -pf /var/lib/ucf/hashfile.5 /var/lib/ucf/hashfile.6 cp -pf /var/lib/ucf/hashfile.4 /var/lib/ucf/hashfile.5 cp -pf /var/lib/ucf/hashfile.3 /var/lib/ucf/hashfile.4 cp -pf /var/lib/ucf/hashfile.2 /var/lib/ucf/hashfile.3 cp -pf /var/lib/ucf/hashfile.1 /var/lib/ucf/hashfile.2 cp -pf /var/lib/ucf/hashfile.0 /var/lib/ucf/hashfile.1 cp -pf /var/lib/ucf/hashfile /var/lib/ucf/hashfile.0 (egrep -v "[[:space:]]\/home\/bryce\/ubuntu\/Openssh\/fix\-apt\-misprompt\/sshd_config\.18\.04$" "/var/lib/ucf/hashfile" md5sum "/home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04" | sed "s|/home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04|/home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04|"; ) | sort > "/var/lib/ucf/hashfile" cp -pf /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04 /var/lib/ucf/cache/:home:bryce:ubuntu:Openssh:fix-apt-misprompt:sshd_config.18.04 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1861472 Title: upgrade from fresh bionic to focal needlessly prompts user Status in openssh package in Ubuntu: Triaged Bug description: Upgrading from a fresh 18.04 LTS install to focal unexpectedly prompts for how to handle a change to /etc/ssh/sshd_config To reproduce the issue: lxc launch ubuntu:18.04 u18 lxc exec u18 -- bash # within container do-release-upgrade -d # select restart services when prompted Eventually you'll be prompted to accept changes to /etc/ssh/sshd_config or not because of "local changes". Thanks ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssh-server 1:8.1p1-5 ProcVersionSignature: Ubuntu 4.15.0-62.69-generic 4.15.18 Uname: Linux 4.15.0-62-generic x86_64 ApportVersion: 2.20.11-0ubuntu16 Architecture: amd64 Date: Fri Jan 31 03:37:55 2020 ProcEnviron: TERM=rxvt-unicode-256color PATH=(custom, no user) LANG=C.UTF-8 SourcePackage: openssh UpgradeStatus: Upgraded to focal on 2020-01-31 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1861472/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp