ssh fails to rebind when it is killed with -HUP

This is related to the systemd socket activation patch we have in openssh, and specifically that it does not correctly handle the re-execution logic of sshd. I am working on a fix for this.

The attachment "Patch for Lunar" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Please make sure to forward this to Debian as well.

Thanks, Steve! I have opened a PR for this in Debian: https://salsa.debian.org/ssh-team/openssh/-/merge_requests/22

Any chance of a dep8 test for this please? I think it would be valuable as we're carrying this feature in a distro patch.

Kinetic patch with autopkgtest added.

Lunar patch with autopkgtest added.

I grabbed this for my SRU shift, but quickly realized reviewing this patch is more complicated than I thought. I concentrated a bit more on the DEP8 test then.

I confess I don't understand how this check is passing:

# Check that ssh.service is currently inactive/dead.
assert_unit_property ssh.service "ActiveState=inactive"
assert_unit_property ssh.service "SubState=dead"

Because autopkgtest just connected to the vm/container over ssh to run this test, so the ssh.service must be active at this point.

When I run this test script in a local container, over ssh, the test fails on the above check, as I expected. But when I throw autopkgtest at it, locally, it passes the check (and I ran it with bash -x to confirm the state of ssh.service). How?

On a review note about the test, if you happen to need to reupload this for whatever reason, I would suggest that you also add some output explaining what is being tested. The comments you have just before each assert are a great example.

I triggered a DEP8 run in the proper infrastructure[1], and the test failed as expected:

autopkgtest [21:32:30]: test systemd-socket-activation: [-----------------------
Fail: ssh.socket: expected SubState=listening, but got SubState=running
autopkgtest [21:32:31]: test systemd-socket-activation: -----------------------]
autopkgtest [21:32:31]: test systemd-socket-activation: - - - - - - - - - - results - - - - - - - - - -
systemd-socket-activation FAIL non-zero exit status 1
autopkgtest [21:32:31]: @@@@@@@@@@@@@@@@@@@@ summary
regress PASS
systemd-socket-activation FAIL non-zero exit status 1

I don't know why it didn't fail when I ran autopkgtest locally against a container, but hey, sanity half restored ;)

1. https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-ssh-rexec-sru/lunar/amd64/o/openssh/20230427_213242_59dbf@/log.gz

*sigh*, I only tested on local autopkgtest. I will re-work the test to create a separate ssh service and socket combination on a different port so that it does not conflict.

Nick, note that it's safe to stop the primary ssh service despite there being an open connection, as open connections are left running. So maybe that's an easier approach.

Thanks for the pointer, Steve. That seems to work; here are autopkgtest logs from amd64 (it passed on all other arches too):

https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-enr0n-proposed-migration/lunar/arm64/o/openssh/20230501_094525_a9c97@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-enr0n-proposed-migration/kinetic/amd64/o/openssh/20230501_092612_e544b@/log.gz

I also added some output as Andreas requested.

Reuploaded with fixed autopkgtest and ready for re-review.

Hello Sergio, or anyone else affected,

Accepted openssh into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:9.0p1-1ubuntu8.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-lunar. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Sergio, or anyone else affected,

Accepted openssh into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:9.0p1-1ubuntu7.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I verified the fix using openssh-server 1:9.0p1-1ubuntu8.1 from lunar-proposed:

Test 1:

root@lunar:~# apt-cache policy openssh-server
openssh-server:
  Installed: 1:9.0p1-1ubuntu8.1
  Candidate: 1:9.0p1-1ubuntu8.1
  Version table:
 *** 1:9.0p1-1ubuntu8.1 100
        100 http://archive.ubuntu.com/ubuntu lunar-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1:9.0p1-1ubuntu8 500
        500 http://archive.ubuntu.com/ubuntu lunar/main amd64 Packages
root@lunar:~# ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ED25519 key fingerprint is SHA256:AbCnblNKQGNc02dY90hZSSobjAiPKfXOOs0YFUhVe9c.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? no
Host key verification failed.
root@lunar:~# systemctl status ssh.service
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; disabled; preset: enabled)
    Drop-In: /etc/systemd/system/ssh.service.d
             └─00-socket.conf
             /run/systemd/system/service.d
             └─zzz-lxc-service.conf
     Active: active (running) since Mon 2023-05-15 13:51:10 UTC; 16s ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 148 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 149 (sshd)
      Tasks: 1 (limit: 18854)
     Memory: 1.3M
        CPU: 71ms
     CGroup: /system.slice/ssh.service
             └─149 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

May 15 13:51:10 lunar systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
May 15 13:51:10 lunar sshd[149]: Server listening on :: port 22.
May 15 13:51:10 lunar systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
May 15 13:51:12 lunar sshd[150]: Connection closed by ::1 port 37598 [preauth]
root@lunar:~# systemctl reload ssh
root@lunar:~# systemctl status ssh.service
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; disabled; preset: enabled)
    Drop-In: /etc/systemd/system/ssh.service.d
             └─00-socket.conf
             /run/systemd/system/service.d
             └─zzz-lxc-service.conf
     Active: active (running) since Mon 2023-05-15 13:51:10 UTC; 23s ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 148 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
    Process: 158 ExecReload=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
    Process: 159 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
   Main PID: 149 (sshd)
      Tasks: 1 (limit: 18854)
     Memory: 1.3M
        CPU: 127ms
     CGroup: /system.slice/ssh.service
             └─149 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

May 15 13:51:10 lunar systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
May 15 13:51:10 lunar sshd[149]: Server listening on :: port 22.
May 15 13:51:10 lunar systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
May 15 13:51:12 lunar sshd[150]: Connection closed by ::1 port 37598 [preauth]
May 15 13:51:33 lunar systemd[1]: Reloading ssh....

I verified the fix using openssh-server 1:9.0p1-1ubuntu7.2 from kinetic-proposed:

Test 1:

root@kinetic:~# apt-cache policy openssh-server
openssh-server:
  Installed: 1:9.0p1-1ubuntu7.2
  Candidate: 1:9.0p1-1ubuntu7.2
  Version table:
 *** 1:9.0p1-1ubuntu7.2 500
        500 http://archive.ubuntu.com/ubuntu kinetic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1:9.0p1-1ubuntu7.1 500
        500 http://archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
     1:9.0p1-1ubuntu7 500
        500 http://archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
root@kinetic:~# ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ED25519 key fingerprint is SHA256:DduZSXZNbtS3h9D91h0NQfRK7wnuxpWrj3f8/0J4ajc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? no
Host key verification failed.
root@kinetic:~# systemctl status ssh.service
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; disabled; preset: enabled)
    Drop-In: /etc/systemd/system/ssh.service.d
             └─00-socket.conf
             /run/systemd/system/service.d
             └─zzz-lxc-service.conf
     Active: active (running) since Mon 2023-05-15 14:00:03 UTC; 11s ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 1013 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 1014 (sshd)
      Tasks: 1 (limit: 18854)
     Memory: 1.3M
        CPU: 40ms
     CGroup: /system.slice/ssh.service
             └─1014 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

May 15 14:00:03 kinetic systemd[1]: Starting OpenBSD Secure Shell server...
May 15 14:00:03 kinetic sshd[1014]: Server listening on :: port 22.
May 15 14:00:03 kinetic systemd[1]: Started OpenBSD Secure Shell server.
May 15 14:00:04 kinetic sshd[1015]: Connection closed by ::1 port 43046 [preauth]
root@kinetic:~# systemctl reload ssh.service
root@kinetic:~# systemctl status ssh.service
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; disabled; preset: enabled)
    Drop-In: /etc/systemd/system/ssh.service.d
             └─00-socket.conf
             /run/systemd/system/service.d
             └─zzz-lxc-service.conf
     Active: active (running) since Mon 2023-05-15 14:00:03 UTC; 22s ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 1013 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
    Process: 1021 ExecReload=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
    Process: 1022 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
   Main PID: 1014 (sshd)
      Tasks: 1 (limit: 18854)
     Memory: 1.4M
        CPU: 97ms
     CGroup: /system.slice/ssh.service
             └─1014 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

May 15 14:00:03 kinetic systemd[1]: Starting OpenBSD Secure Shell server...
May 15 14:00:03 kinetic sshd[1014]: Server listening on :: port 22.
May 15 14:00:03 kinetic systemd[1]: Started OpenBSD Secure Shell server.
May 15 14:00:04 kinetic ss...

All autopkgtests for the newly accepted openssh (1:9.0p1-1ubuntu7.2) for kinetic have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.50.2-2 (ppc64el)
hg-git/0.10.4-3 (amd64, arm64, armhf, ppc64el, s390x)
nova/3:26.1.0-0ubuntu2.1 (armhf)
piuparts/1.1.5 (amd64, arm64, ppc64el, s390x)
sbuild/0.83.1ubuntu1 (amd64, arm64, ppc64el, s390x)
tinyssh/20190101-1ubuntu1 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/kinetic/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted openssh (1:9.0p1-1ubuntu8.1) for lunar have finished running.
The following regressions have been reported in tests triggered by the package:

ganeti/3.0.2-3 (amd64, arm64, armhf, ppc64el)
nova/3:27.0.0-0ubuntu1.1 (armhf)
piuparts/1.1.7 (amd64, arm64, ppc64el, s390x)
sbuild/0.85.0ubuntu2 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/lunar/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

This bug was fixed in the package openssh - 1:9.0p1-1ubuntu8.1

---------------
openssh (1:9.0p1-1ubuntu8.1) lunar; urgency=medium

  * debian/patches/systemd-socket-activation.patch: Fix re-execution behavior
    (LP: #2011458):
    - Remove FD_CLOEXEC on fds passed by systemd to prevent automatic closing
      when sshd re-executes.
    - Do not manually close fds passed by systemd when re-executing.
    - Only call sd_listen_fds() once, and only in the parent process.
    - Check the LISTEN_FDS environment variable to get the number of fds
      passed by systemd when re-executing as a child process.
  * debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
    activation functionality.

 -- Nick Rosbrook <email address hidden> Fri, 31 Mar 2023 12:44:32 -0400

An issue (bug 2020474) has been reported in mantic which I believe is caused by this patch, so I am adding block-proposed for lunar and kinetic while I investigate.

We will need another upload to adjust the patch here so that we do not introduce bug 2020474 into Kinetic or Lunar. I have opened MPs for the follow-on uploads.

Hello Sergio, or anyone else affected,

Accepted openssh into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:9.0p1-1ubuntu8.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-lunar. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Sergio, or anyone else affected,

Accepted openssh into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:9.0p1-1ubuntu7.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted openssh (1:9.0p1-1ubuntu7.2) for kinetic have finished running.
The following regressions have been reported in tests triggered by the package:

hg-git/0.10.4-3 (amd64, arm64, armhf, ppc64el, s390x)
piuparts/1.1.5 (amd64, arm64, ppc64el, s390x)
sbuild/0.83.1ubuntu1 (arm64, ppc64el, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/kinetic/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted openssh (1:9.0p1-1ubuntu8.1) for lunar have finished running.
The following regressions have been reported in tests triggered by the package:

ganeti/3.0.2-3 (arm64, ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/lunar/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

I have confirmed the fix using openssh 1:9.0p1-1ubuntu7.3 from kinetic-proposed:

Test 1:

root@kinetic:~# apt-cache policy openssh-server
openssh-server:
  Installed: 1:9.0p1-1ubuntu7.3
  Candidate: 1:9.0p1-1ubuntu7.3
  Version table:
 *** 1:9.0p1-1ubuntu7.3 500
        500 http://archive.ubuntu.com/ubuntu kinetic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1:9.0p1-1ubuntu7.1 500
        500 http://archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
     1:9.0p1-1ubuntu7 500
        500 http://archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
root@kinetic:~# ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ED25519 key fingerprint is SHA256:xmU0f5QuqvJ8GZVhZihANPUgBhUzvYo96entI7JuoRk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.10 (GNU/Linux 6.2.0-20-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@kinetic:~# systemctl reload ssh.service
root@kinetic:~# systemctl status ssh.service
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; disabled; preset: enabled)
    Drop-In: /etc/systemd/system/ssh.service.d
             └─00-socket.conf
             /run/systemd/system/service.d
             └─zzz-lxc-service.conf
     Active: active (running) since Fri 2023-06-02 13:48:58 UTC; 42s ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 1012 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
    Process: 1046 ExecReload=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
    Process: 1047 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
   Main PID: 1013 (sshd)
      Tasks: 1 (limit: 18854)
     Memory: 3.2M
        CPU: 94ms
     CGroup: /system.slice/ssh.service
             └─1013 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Jun 02 13:48:58 kinetic systemd[1]: Starting OpenBSD Secure Shell server...
Jun 02 13:48:58 kinetic sshd[1013]: Server listening on :: port 22.
Jun 02 13:48:58 kinetic systemd[1]: Started OpenBSD Secure Shell server.
Jun 02 13:49:00 kinetic sshd[1014]: Accepted publickey for root from ::1 port 44690 ssh2: RSA SHA256:A+T8Yt6KxQdy0hmT8>
Jun 02 13:49:00 kinetic sshd[1014]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Jun 02 13:49:00 kinetic sshd[1014]: pam_env(sshd:session): deprecated reading of user environment enabled
Jun 02 13:49:26 kinetic systemd[1]: Reloading OpenBSD Secure Shell server...
Jun 02 13:49:26 kinetic sshd[1013]: Received SIGHUP; restarting.
Jun 02 13:49:26 kinetic systemd[1]: Reloaded OpenBSD Secure Shell server.
Jun 02 13:49:27 kinetic sshd[10...

I have verified the fix using openssh 1:9.0p1-1ubuntu8.2 from lunar-proposed:

Test 1:

root@lunar:~# apt-cache policy openssh-server
openssh-server:
  Installed: 1:9.0p1-1ubuntu8.2
  Candidate: 1:9.0p1-1ubuntu8.2
  Version table:
 *** 1:9.0p1-1ubuntu8.2 500
        500 http://archive.ubuntu.com/ubuntu lunar-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1:9.0p1-1ubuntu8 500
        500 http://archive.ubuntu.com/ubuntu lunar/main amd64 Packages
root@lunar:~# ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ED25519 key fingerprint is SHA256:pGn2A4yGeFN/7Rlk830HLUMQqsybaSmP36MPGpmKXmQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ED25519) to the list of known hosts.
Welcome to Ubuntu 23.04 (GNU/Linux 6.2.0-20-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@lunar:~# systemctl reload ssh
root@lunar:~# systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; disabled; preset: enabled)
    Drop-In: /etc/systemd/system/ssh.service.d
             └─00-socket.conf
             /run/systemd/system/service.d
             └─zzz-lxc-service.conf
     Active: active (running) since Fri 2023-06-02 14:13:03 UTC; 11s ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 1030 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
    Process: 1062 ExecReload=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
    Process: 1063 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
   Main PID: 1031 (sshd)
      Tasks: 1 (limit: 18854)
     Memory: 3.2M
        CPU: 101ms
     CGroup: /system.slice/ssh.service
             └─1031 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Jun 02 14:13:03 lunar systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Jun 02 14:13:03 lunar sshd[1031]: Server listening on :: port 22.
Jun 02 14:13:03 lunar systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
Jun 02 14:13:04 lunar sshd[1032]: Accepted publickey for root from ::1 port 53474 ssh2: RSA SHA256:KzrBiY2sWqLQ5WWGGUo>
Jun 02 14:13:04 lunar sshd[1032]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Jun 02 14:13:04 lunar sshd[1032]: pam_env(sshd:session): deprecated reading of user environment enabled
Jun 02 14:13:10 lunar systemd[1]: Reloading ssh.service - OpenBSD Secure Shell server...
Jun 02 14:13:10 lunar sshd[1031]: Received SIGHUP; restarting.
Jun 02 14:13:10 lunar systemd[1]: Reloaded ssh.service - OpenBSD Secure Shell server.
Jun 02 14:13:10 lunar sshd[1031]: Server listening on :: port 22.

Test 2:

root@lunar:~# vi /etc/default/ssh
root@lunar:~# cat /...

I also tested upgrades from 1:9.0p1-1ubuntu7.3 in kinetic-proposed to 1:9.0p1-1ubuntu8.2 in lunar-proposed to confirm we won't be introducing bug 2020474:

root@kinetic:~# ssh localhost
Welcome to Ubuntu 22.10 (GNU/Linux 6.2.0-20-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@kinetic:~# apt-cache policy openssh-server
openssh-server:
  Installed: 1:9.0p1-1ubuntu7.3
  Candidate: 1:9.0p1-1ubuntu7.3
  Version table:
 *** 1:9.0p1-1ubuntu7.3 500
        500 http://archive.ubuntu.com/ubuntu kinetic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1:9.0p1-1ubuntu7.1 500
        500 http://archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
     1:9.0p1-1ubuntu7 500
        500 http://archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
root@kinetic:~# sed -i 's/kinetic/lunar/g' /etc/apt/sources.list
root@kinetic:~# apt update
Get:1 http://archive.ubuntu.com/ubuntu lunar InRelease [267 kB]
Get:2 http://security.ubuntu.com/ubuntu lunar-security InRelease [109 kB]
Get:3 http://security.ubuntu.com/ubuntu lunar-security/main amd64 Packages [69.9 kB]
Get:4 http://archive.ubuntu.com/ubuntu lunar-updates InRelease [109 kB]
Get:5 http://security.ubuntu.com/ubuntu lunar-security/main Translation-en [20.5 kB]
Get:6 http://security.ubuntu.com/ubuntu lunar-security/universe amd64 Packages [33.4 kB]
Get:7 http://security.ubuntu.com/ubuntu lunar-security/universe Translation-en [11.0 kB]
Get:8 http://archive.ubuntu.com/ubuntu lunar-proposed InRelease [255 kB]
Get:9 http://archive.ubuntu.com/ubuntu lunar/main amd64 Packages [1,396 kB]
Get:10 http://archive.ubuntu.com/ubuntu lunar/main Translation-en [513 kB]
Get:11 http://archive.ubuntu.com/ubuntu lunar/restricted amd64 Packages [143 kB]
Get:12 http://archive.ubuntu.com/ubuntu lunar/restricted Translation-en [21.9 kB]
Get:13 http://archive.ubuntu.com/ubuntu lunar/universe amd64 Packages [15.0 MB]
Get:14 http://archive.ubuntu.com/ubuntu lunar/universe Translation-en [5,906 kB]
Get:15 http://archive.ubuntu.com/ubuntu lunar/multiverse amd64 Packages [236 kB]
Get:16 http://archive.ubuntu.com/ubuntu lunar/multiverse Translation-en [112 kB]
Get:17 http://archive.ubuntu.com/ubuntu lunar-updates/main amd64 Packages [124 kB]
Get:18 http://archive.ubuntu.com/ubuntu lunar-updates/main Translation-en [33.5 kB]
Get:19 http://archive.ubuntu.com/ubuntu lunar-updates/universe amd64 Packages [63.0 kB]
Get:20 http://archive.ubuntu.com/ubuntu lunar-updates/universe Translation-en [20.7 kB]
Get:21 http://archive.ubuntu.com/ubuntu lunar-proposed/main amd64 Packages [64.7 kB]
Get:22 http://archive.ubuntu.com/ubuntu lunar-proposed/main Translation-en [18.3 kB]
Get:23 http://archive.ubuntu.com/ubuntu lunar-proposed/restricted amd64 Packages [82.7 kB]
Get:24 http://archive.ubuntu.com/ubuntu lunar-proposed/restricted...

All autopkgtests for the newly accepted openssh (1:9.0p1-1ubuntu8.2) for lunar have finished running.
The following regressions have been reported in tests triggered by the package:

ganeti/3.0.2-3 (arm64, ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/lunar/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted openssh (1:9.0p1-1ubuntu7.3) for kinetic have finished running.
The following regressions have been reported in tests triggered by the package:

ganeti/3.0.2-1ubuntu1 (armhf)
gvfs/1.50.2-2 (amd64, arm64, ppc64el)
hg-git/0.10.4-3 (amd64, arm64, armhf, ppc64el, s390x)
libcloud/3.4.1-5 (s390x)
piuparts/1.1.5 (amd64, arm64, ppc64el, s390x)
sbuild/0.83.1ubuntu1 (arm64, ppc64el, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/kinetic/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

I do not believe the ganeti/3.0.2-3 (arm64, ppc64el) failures on Lunar are caused by the openssh update. In both failures[1][2], the __main__.TestX509Certificates.test and __main__.TestX509Certificates.testNoEmpty unit tests fail. This exact same failure can be seen in an earlier migration-reference/0 tests[3][4] of ganeti on both arm64 and ppc64el, so it seems this test is just flaky.

[1] https://autopkgtest.ubuntu.com/results/autopkgtest-lunar/lunar/arm64/g/ganeti/20230605_011521_99bea@/log.gz
[2] https://autopkgtest.ubuntu.com/results/autopkgtest-lunar/lunar/ppc64el/g/ganeti/20230605_011157_99bea@/log.gz
[3] https://autopkgtest.ubuntu.com/results/autopkgtest-lunar/lunar/arm64/g/ganeti/20230118_074257_458fa@/log.gz
[4] https://autopkgtest.ubuntu.com/results/autopkgtest-lunar/lunar/ppc64el/g/ganeti/20230118_072256_077d0@/log.gz

This bug was fixed in the package openssh - 1:9.0p1-1ubuntu7.3

---------------
openssh (1:9.0p1-1ubuntu7.3) kinetic; urgency=medium

  * debian/patches/systemd-socket-activation.patch: do not leak sockets in
    child process. Follow-up fix for LP: #2011458.

 -- Nick Rosbrook <email address hidden> Tue, 30 May 2023 16:58:06 -0400

The verification of the Stable Release Update for openssh has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package openssh - 1:9.0p1-1ubuntu8.2

---------------
openssh (1:9.0p1-1ubuntu8.2) lunar; urgency=medium

  * debian/patches/systemd-socket-activation.patch: do not leak sockets in
    child process. Follow-up fix for LP: #2011458.

 -- Nick Rosbrook <email address hidden> Fri, 26 May 2023 10:44:48 -0400