diff -Nru openssh-7.2p2/debian/changelog openssh-7.2p2/debian/changelog
--- openssh-7.2p2/debian/changelog	2020-01-10 00:01:33.000000000 +0000
+++ openssh-7.2p2/debian/changelog	2020-05-13 14:12:28.000000000 +0000
@@ -1,3 +1,17 @@
+openssh (1:7.2p2-4ubuntu2.10) xenial; urgency=medium
+
+  * Fix deadlock when AuthorizedKeysCommand produces a large output.
+    (LP: #1877454)
+    - d/p/authkeyscommand-deadlock-01.patch: Make sure to call fclose(2)
+      and assign NULL to the file handler used to read
+      "Authorized{Keys,Principal}Command" directives.
+    - d/p/authkeyscommand-deadlock-02.patch: Consume entire output
+      generated by the command pointed by
+      "Authorized{Keys,Principal}Command" in order to avoid sending a
+      SIGPIPE to the process.
+
+ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Wed, 13 May 2020 10:12:28 -0400
+
 openssh (1:7.2p2-4ubuntu2.9) xenial; urgency=medium
 
   * Apply upstream patch to stop using 2020 as a future date in regress
diff -Nru openssh-7.2p2/debian/patches/authkeyscommand-deadlock-01.patch openssh-7.2p2/debian/patches/authkeyscommand-deadlock-01.patch
--- openssh-7.2p2/debian/patches/authkeyscommand-deadlock-01.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-7.2p2/debian/patches/authkeyscommand-deadlock-01.patch	2020-05-13 14:12:28.000000000 +0000
@@ -0,0 +1,41 @@
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 30 Dec 2016 22:08:02 +0000
+Subject: fix deadlock when keys/principals command produces a lot of output
+ and a key is matched early; bz#2655, patch from jboning AT gmail.com
+
+Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
+
+Author: jboning@gmail.com
+Origin: upstream, https://github.com/openssh/openssh-portable/commit/ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2655
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1877454
+Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
+Last-Update: 2020-05-08
+---
+ auth2-pubkey.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index 1a3beeb..c8bbce3 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -704,6 +704,9 @@ match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert)
+ 
+ 	ok = process_principals(f, NULL, pw, cert);
+ 
++	fclose(f);
++	f = NULL;
++
+ 	if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0)
+ 		goto out;
+ 
+@@ -1027,6 +1030,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
+ 
+ 	ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
+ 
++	fclose(f);
++	f = NULL;
++
+ 	if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
+ 		goto out;
+ 
diff -Nru openssh-7.2p2/debian/patches/authkeyscommand-deadlock-02.patch openssh-7.2p2/debian/patches/authkeyscommand-deadlock-02.patch
--- openssh-7.2p2/debian/patches/authkeyscommand-deadlock-02.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-7.2p2/debian/patches/authkeyscommand-deadlock-02.patch	2020-05-13 14:12:28.000000000 +0000
@@ -0,0 +1,74 @@
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 30 Jan 2017 01:03:00 +0000
+Subject: revise keys/principals command hang fix (bz#2655) to consume entire
+ output, avoiding sending SIGPIPE to subprocesses early; ok dtucker@
+
+Upstream-ID: 7cb04b31a61f8c78c4e48ceededcd2fd5c4ee1bc
+
+Author: Damien Miller <djm@openbsd.org>
+Origin: upstream, https://github.com/openssh/openssh-portable/commit/52763dd3fe0a4678dafdf7aeb32286e514130afc
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2655
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1877454
+Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
+Last-Update: 2020-05-12
+---
+ auth2-pubkey.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index c8bbce3..fb4468e 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -571,10 +571,13 @@ process_principals(FILE *f, char *file, struct passwd *pw,
+ {
+ 	char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts;
+ 	u_long linenum = 0;
+-	u_int i;
++	u_int i, found_principal = 0;
+ 
+ 	auth_start_parse_options();
+ 	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
++		/* Always consume entire input */
++		if (found_principal)
++			continue;
+ 		/* Skip leading whitespace. */
+ 		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+ 			;
+@@ -607,11 +610,12 @@ process_principals(FILE *f, char *file, struct passwd *pw,
+ 				if (auth_parse_options(pw, line_opts,
+ 				    file, linenum) != 1)
+ 					continue;
+-				return 1;
++				found_principal = 1;
++				continue;
+ 			}
+ 		}
+ 	}
+-	return 0;
++	return found_principal;
+ }
+ 
+ static int
+@@ -744,7 +748,12 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
+ 	found = NULL;
+ 	auth_start_parse_options();
+ 	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+-		char *cp, *key_options = NULL;
++		char *cp, *key_options = NULL, *fp = NULL;
++		const char *reason = NULL;
++
++		/* Always consume entrire file */
++		if (found_key)
++			continue;
+ 		if (found != NULL)
+ 			key_free(found);
+ 		found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
+@@ -833,7 +842,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
+ 			    file, linenum, key_type(found), fp);
+ 			free(fp);
+ 			found_key = 1;
+-			break;
++			continue;
+ 		}
+ 	}
+ 	if (found != NULL)
diff -Nru openssh-7.2p2/debian/patches/series openssh-7.2p2/debian/patches/series
--- openssh-7.2p2/debian/patches/series	2020-01-10 00:01:29.000000000 +0000
+++ openssh-7.2p2/debian/patches/series	2020-05-13 14:12:28.000000000 +0000
@@ -56,3 +56,5 @@
 CVE-2019-6109-2.patch
 CVE-2019-6111-2.patch
 regress-2020.patch
+authkeyscommand-deadlock-01.patch
+authkeyscommand-deadlock-02.patch