Bug#1109742: marked as done (upgrade-reports: No new SSH connections possible during large part of upgrade to Debian Trixie)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 28 Jul 2025 11:34:17 +0000
with message-id <E1ugM7V-002Ifi-33@fasolo.debian.org>
and subject line Bug#1109742: fixed in openssh 1:10.0p1-6
has caused the Debian Bug report #1109742,
regarding upgrade-reports: No new SSH connections possible during large part of upgrade to Debian Trixie
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1109742: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109742
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: upgrade-reports: No new SSH connections possible during large part of upgrade to Debian Trixie
• From: Manfred Stock <m-debian@nfred.ch>
• Date: Tue, 22 Jul 2025 19:42:07 +0200
• Message-id: <175320612753.3210.8158902610327546715.reportbug@monitoring.int.nfred.ch>

Package: upgrade-reports
Severity: normal

My previous release is: Debian Bookworm/12
I am upgrading to: Debian Trixie/13
Archive date: From https://mirror.init7.net/debian/project/trace/ftp-master.debian.org:
  Tue Jul 22 14:36:00 UTC 2025
  Creator: dak g7a63da59
  Running on host: fasolo.debian.org
  Archive serial: 2025072203
  Date: Tue, 22 Jul 2025 14:36:00 +0000
  Architectures: all amd64 arm64 armel armhf hurd-i386 i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mips64el mipsel powerpc ppc64el riscv64 s390 s390x sparc source
Upgrade date: 2025-07-22, ~17:15 CEST
uname -a before upgrade: Not recorded
uname -a after upgrade: Linux monitoring 6.12.35+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.35-1 (2025-07-03) x86_64 GNU/Linux
Method: Roughly `apt update; apt dist-upgrade --autoremove --purge`, via SSH

Contents of /etc/apt/sources.list:
  deb https://mirror.init7.net/debian/ trixie main
  deb-src https://mirror.init7.net/debian/ trixie main
  deb https://mirror.init7.net/debian/ trixie-backports main
  deb-src https://mirror.init7.net/debian/ trixie-backports main
  deb https://mirror.init7.net/debian/ trixie-updates main
  deb-src https://mirror.init7.net/debian/ trixie-updates main

  deb https://security.debian.org/debian-security trixie-security main
  deb-src https://security.debian.org/debian-security trixie-security main

- Were there any non-Debian packages installed before the upgrade?  If
  so, what were they? => No, there should not have been any.

- Was the system pre-update a 'pure' system only containing packages
  from the previous release? If not, which packages were not from that
  release? => Yes, it should have been pure.

- Did any packages fail to upgrade? => No, there were no failures.

- Were there any problems with the system after upgrading? => No
  problems that I have noticed so far.


Further Comments/Problems: I've upgraded several Bookworm systems to
Trixie so far, which went pretty smooth. But there's one thing I keep
noticing, and which I observed a bit more closely while upgrading the
system I'm sending this report from: Starting at roughly the time when
dpkg says something like

  Unpacking openssh-server (1:10.0p1-5) over (1:9.2p1-2+deb12u6) ...  

I'm not able anymore to open new SSH connections to the system I'm
upgrading. The SSH daemon is still running, and the existing connections
also still work, but new connections fail with

  kex_exchange_identification: read: Connection reset by peer                    
  Connection reset by fd... port 22                 

on the client. At this time, I see messages like the following in the
output from `systemctl status openssh-server.service` (the SSH daemon is
still running, usually since the last reboot, or in this case since the
libc upgrade earlier during the upgrade process, so the daemon process
itself should still be running the binaries from Bookworm, even though
the new binaries have already been extracted):

  Jul 22 17:37:32 monitoring sshd[492742]: -R not supported here
 
The upgrade continues as usual. At some point, I get asked if I want to
install the new SSH configuration from the package or keep my modified
version (and it doesn't seem to matter what I answer to the question) -
but once dpkg restarts the SSH daemon afterwards, new connections are
possible again.

To me, it seems like the old binary, which is still running, is passing
an unsupported parameter to the new binary that was already unpacked
when trying to fork off a new process for the new connection (but I
haven't checked if that's how it actually works when a new connection is
opened, I'm just guessing). The "-R not supported here" string seems to
be 'new', i.e. I didn't find it in the openssh package source on
Bookworm, but it exists in the version from Trixie.

I can't preclude that I'm consistently doing something
wrong/unusual/strange during the upgrade or that my SSH daemon
configuration contains something weird (although I'm not aware of
anything special in there), so maybe this doesn't affect others. So far,
I haven't noticed any bug report against the openssh package, an entry
in the release notes for Trixie or the NEWS file for openssh which
mentions an issue like this one, but I'm sorry if I missed that.

Hope this helps, and many thanks for your efforts!
Manfred

--- End Message ---

--- Begin Message ---

• To: 1109742-close@bugs.debian.org
• Subject: Bug#1109742: fixed in openssh 1:10.0p1-6
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Mon, 28 Jul 2025 11:34:17 +0000
• Message-id: <E1ugM7V-002Ifi-33@fasolo.debian.org>
• Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:10.0p1-6
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1109742@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 28 Jul 2025 12:17:42 +0100
Source: openssh
Architecture: source
Version: 1:10.0p1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1109742
Changes:
 openssh (1:10.0p1-6) unstable; urgency=medium
 .
   * Temporarily divert /usr/sbin/sshd during upgrades from before
     1:9.8p1-1~, to avoid new connections failing between unpack and
     configure (closes: #1109742).
Checksums-Sha1:
 75029651959bb17094de119faf6516d01f754a9a 3654 openssh_10.0p1-6.dsc
 0d2ea5e6e7c6cea237bc8a5df36f60e226665ff2 198860 openssh_10.0p1-6.debian.tar.xz
 f4db1e1d8aa3f2799f3e9ca5f588637dde262335 15147720 openssh_10.0p1-6.git.tar.xz
 d12e59bfb669470573821089acb747a008deaa5a 18058 openssh_10.0p1-6_source.buildinfo
Checksums-Sha256:
 02828d083b3642599481ef72b2660b54a9472d00e98fe4c71df08b4a7a70987c 3654 openssh_10.0p1-6.dsc
 7486dafbf359e6a5179cb1a0a7798077cc41d5cf89a7e25485aefb1451cbe551 198860 openssh_10.0p1-6.debian.tar.xz
 ba9cce96d6d7ee94d23376f0acdc67b34531fa06557113f08a7236738e1f2cad 15147720 openssh_10.0p1-6.git.tar.xz
 29ca28ed003c234ca3ef3db0f83a093c121f9fc3f33a06a6f40ef815b71bdb70 18058 openssh_10.0p1-6_source.buildinfo
Files:
 358e0690b920a376f059d132b06ed99b 3654 net standard openssh_10.0p1-6.dsc
 efd8cfc74e206baab789b14be2ed44da 198860 net standard openssh_10.0p1-6.debian.tar.xz
 c9c8f9b9764d2210c73b2a6d6ce1e482 15147720 net standard openssh_10.0p1-6.git.tar.xz
 379892127823c73c41b18b38e9a64e8c 18058 net standard openssh_10.0p1-6_source.buildinfo
Git-Tag-Info: tag=2e1a83aa6d827def7cc13e923d2cdd869131a8bd fp=ac0a4ff12611b6fccf01c111393587d97d86500b
Git-Tag-Tagger: Colin Watson <cjwatson@debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmiHXQ4ACgkQYG0ITkaD
wHmQow//V8VWc0iF+Gt3xdMjHsB0pj5fAsF2iDyCnVBAbV1wjvu5uQNyM42lqq1M
Uk8aIo2pIA/ZwJJEZZpEzwyQn2JhtH1OMvyhXwjBLiQOvkwMnW55xc7Jaw8N24aZ
j7lRouJsV7K7Sws4Jxi5AKJTCwLQkIdoyXvAUWu0VpAW4xvblQ5Jhmv3Emhu7HOy
XeI764lwhINwQ4rAnDzfMIXyYIr/Eqveyqz+HF4h5qRPuEInUMGa4PzHiz9S5EfA
hJ4KfVL70iJVCLPIdc+3tAQ9vL3TXXIF7OQbrdUMAsmcIvPmNVdkQehJbvK3/zRW
El4zJ7OGS9/nFlwTGoKW48w41Wk/xQQJ+JT2Vv4FZmve2jE3nAPgy6ffKGQfnPJR
G+QiQiZV+yO+1cvkAvMYdDTMaFErrmsA4yzVZVyJ88akqu9GT727QDHRFGtPDOqt
kOhblmGjzkMMo2LKY92CwCt+W/Mog6QDIxe7uMp3yg7wePNR439TT12EdIIH6Xij
pK1rZpThJoFm2S3RDs00hFp6kodtEGZrDIPSC9FHBur59bx14mH4Ocsn3xLMQTnO
RrypQve0JBqDajaZO0PDTOKQnsDRTXH4QroypUvZ0sCgtJclf35GFjlqRDpFRzmQ
QkMK87s0rVLKPWZSjMyZ2FCprFxjoOmhZtB+F1wXzaxfJ8BcaCc=
=pfEk
-----END PGP SIGNATURE-----

Attachment: pgpIiU9hhUd54.pgp
Description: PGP signature

--- End Message ---