Works well for me. One thing I verified is that the hosts_access(5) (libwrap) remains the same: it does. I do have a couple of suggestions:
- We still ship
sshd_configwith#ListenAddressand#Portlines, with no warning about them not being honored anymore by default. Users editing those will be surprised that they have no effect. I think they should be replaced or complemented by a comment explaining the new way for specifying the listen address and port (maybe by pointing toopenssh-server.README.Debian, see below). I see that this requires patching upstream’ssshd_config, which is a bit annoying. - There’s useful info about socket-based activation in
README.Debian, but I initially failed to find it because it gets installed by theopenssh-clientpackage, as it’s the first package specified ind/control. Consider moving the socket activation bits tod/openssh-server.README.Debianin the source package.
TIL about sd_listen_fds(3)!