Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.devel.testing > #1473

Bug#1109742: upgrade-reports: No new SSH connections possible during large part of upgrade to Debian Trixie

Cross-posted to 2 groups.

Show all headers | View raw

On Tue, Jul 22, 2025 at 07:42:07PM +0200, Manfred Stock wrote:
>Further Comments/Problems: I've upgraded several Bookworm systems to
>Trixie so far, which went pretty smooth. But there's one thing I keep
>noticing, and which I observed a bit more closely while upgrading the
>system I'm sending this report from: Starting at roughly the time when
>dpkg says something like
>
>  Unpacking openssh-server (1:10.0p1-5) over (1:9.2p1-2+deb12u6) ...
>
>I'm not able anymore to open new SSH connections to the system I'm
>upgrading. The SSH daemon is still running, and the existing connections
>also still work, but new connections fail with
>
>  kex_exchange_identification: read: Connection reset by peer
>  Connection reset by fd... port 22
>
>on the client. At this time, I see messages like the following in the
>output from `systemctl status openssh-server.service` (the SSH daemon is
>still running, usually since the last reboot, or in this case since the
>libc upgrade earlier during the upgrade process, so the daemon process
>itself should still be running the binaries from Bookworm, even though
>the new binaries have already been extracted):
>
>  Jul 22 17:37:32 monitoring sshd[492742]: -R not supported here
[...]
>To me, it seems like the old binary, which is still running, is passing
>an unsupported parameter to the new binary that was already unpacked
>when trying to fork off a new process for the new connection (but I
>haven't checked if that's how it actually works when a new connection is
>opened, I'm just guessing). The "-R not supported here" string seems to
>be 'new', i.e. I didn't find it in the openssh package source on
>Bookworm, but it exists in the version from Trixie.

Thanks for the report.  This will be due to the split of sshd-session 
from the main sshd binary; the old sshd re-executed itself with 
different arguments, but the new sshd executes sshd-session instead and 
has removed support for the parameters that it used to rely on during 
re-execution.

I'll have to set up a suitable environment to test this, but my best 
idea for now is to have openssh-server.preinst take a copy of the old 
sshd binary before dpkg unpacks the new files, and patch sshd to re-exec 
that copy if it exists and it receives the -R option.  The postinst can 
then remove the copy after it's restarted the new sshd.

Tricky!

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Back to linux.debian.devel.testing | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

Bug#1109742: upgrade-reports: No new SSH connections possible during large part of upgrade to Debian Trixie Manfred Stock <m-debian@nfred.ch> - 2025-07-23 01:10 +0200
  Bug#1109742: upgrade-reports: No new SSH connections possible during large part of upgrade to Debian Trixie Colin Watson <cjwatson@debian.org> - 2025-07-24 14:30 +0200
    Bug#1109742: upgrade-reports: No new SSH connections possible during large part of upgrade to Debian Trixie Colin Watson <cjwatson@debian.org> - 2025-07-24 17:00 +0200
      Bug#1109742: upgrade-reports: No new SSH connections possible during large part of upgrade to Debian Trixie Salvatore Bonaccorso <carnil@debian.org> - 2025-07-24 18:50 +0200
        Bug#1109742: upgrade-reports: No new SSH connections possible during large part of upgrade to Debian Trixie Colin Watson <cjwatson@debian.org> - 2025-07-24 22:40 +0200
          Bug#1109742: upgrade-reports: No new SSH connections possible during large part of upgrade to Debian Trixie Jonathan Wiltshire <jmw@debian.org> - 2025-07-26 21:50 +0200
  Processed: Re: Bug#1109742: upgrade-reports: No new SSH  connections possible during large part of upgrade to Debian Trixie "Debian Bug Tracking System" <owner@bugs.debian.org> - 2025-07-24 17:00 +0200

csiph-web