Among the 30 debian patches available in version 1:9.7p1-4 of the package, we noticed the following issues:
commit 703b8198a123f57fd09e555a4c62b2d55273d57b Merge: 5abe34f 0255692 Author: Colin Watson <cjwatson@debian.org> Date: Sat May 11 22:38:35 2024 +0000 Merge branch 'pam_unknown' into 'master' Only set PAM_RHOST if the remote host is not "UNKNOWN" See merge request ssh-team/openssh!25 commit 5abe34fb65f907c52da61cf8c68a256f1eef289e Merge: 9ca680f 0159184 Author: Colin Watson <cjwatson@debian.org> Date: Sat May 11 22:05:20 2024 +0000 Merge branch 'tmpfiles' into 'master' Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/ See merge request ssh-team/openssh!27 commit 025569276f3ae0824a4a8da55a5a3cb676634f4c Merge: a980bf9 d4ae5b6 Author: Luca Boccassi <bluca@debian.org> Date: Sat May 11 17:58:39 2024 +0100 merge patched-pam_unknown into pam_unknown commit 9ca680faa402f894512b7947f6f97bc32960f591 Merge: a980bf9 9047352 Author: Colin Watson <cjwatson@debian.org> Date: Sat May 11 21:55:15 2024 +0000 Merge branch 'salsa-openssh-gssapi-tests' into 'master' Add autopkgtests for GSSAPI logins, including gssapi-keyex See merge request ssh-team/openssh!24 commit d4ae5b68870bf65747084f4ed3060bb13c586c9e Author: Daan De Meyer <daan.j.demeyer@gmail.com> Date: Mon Mar 20 20:22:14 2023 +0100 Only set PAM_RHOST if the remote host is not "UNKNOWN" When using sshd's -i option with stdio that is not a AF_INET/AF_INET6 socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then set as the value of PAM_RHOST, causing pam to try to do a reverse DNS query of "UNKNOWN", which times out multiple times, causing a substantial slowdown when logging in. To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN". Author: Daan De Meyer <daan.j.demeyer@gmail.com> Last-Update: 2024-04-03 Patch-Name: pam-avoid-unknown-host.patch commit 015918425f1af02029f393ec1972de4d61f60a8d Author: Luca Boccassi <bluca@debian.org> Date: Thu May 9 18:36:24 2024 +0100 Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/ sd-tmpfiles will clean up old files/dirs from /tmp/ on a timer, which might remove the ssh-agent socket if it's been running for a long time. Ideally ssh-agent should switch to using XDG_RUNTIME_DIR, or socket based per-session activation as per #1068416 or at least take a flock on the socket while it's running as per tmpfiles.d protocol. For now as a quick workaround ship a tmpfiles.d snippet that adds an exception for /tmp/ssh-* to avoid issues. This should be reverted once ssh-agent changes to employ any of the other mentioned solutions. Closes: #1068416 commit 90473522494cc09a15bff8bcf3ddc40d9fa0c50e Author: Andreas Hasenack <andreas.hasenack@canonical.com> Date: Mon Mar 18 09:57:01 2024 -0300 d/t/ssh-gssapi: add klist output in the case of failure commit 63b33a08961384de16c0b2eadd87f360e8a303de Author: Andreas Hasenack <andreas.hasenack@canonical.com> Date: Mon Mar 18 09:50:58 2024 -0300 d/t/ssh-gssapi: match a more specific success expression from the logs commit c60a8b2fea94323afca96866dc25f4daa6a5d64d Author: Andreas Hasenack <andreas.hasenack@canonical.com> Date: Mon Mar 18 09:30:19 2024 -0300 d/t/ssh-gssapi: deal with return codes commit 1491959050cacdf8e2e82b6d71482c48aedfe0e6 Author: Andreas Hasenack <andreas.hasenack@canonical.com> Date: Fri Mar 15 17:14:06 2024 -0300 * d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic and gssapi-keyex authentication methods commit a980bf94a32f191a9e412eb0550c74ca6d96940b Author: Colin Watson <cjwatson@debian.org> Date: Sat May 11 15:54:22 2024 +0100 Drop most of Salsa CI's suffix from version string The "integrity" regression tests are somewhat sensitive to the length of the server banner (which is sent before key exchange), and the long suffixes used for CI builds throw them off too much. Since the final segment of Salsa CI version numbers is a sequence number that runs independently in different forks, this can mean that the exact same commit fails in forks despite passing in `ssh-team/openssh`, which is extremely confusing. Having some indication that a build comes from CI is somewhat useful, but we don't need to embed all the fine details: a plain `+salsaci` suffix is good enough for that. commit 52d8a44435f69123efb98d0e7c128b4a81e8aacb Author: Colin Watson <cjwatson@debian.org> Date: Wed Apr 24 15:53:35 2024 +0100 Add "After=nss-user-lookup.target" to ssh.service and sshd@.service Closes: #1069706