Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1317722

Summary: remove /etc/rc.d/init.d/function dependency from sshd-keygen script
Product: [Fedora] Fedora Reporter: Yu Watanabe <watanabe.yu>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: honglzh, jjelen, mattias.ellert, mgrepl, pasik, plautrba, systemd-maint, tmraz, watanabe.yu
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-7.2p2-2.fc23 openssh-7.2p2-2.fc24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1325535 (view as bug list) Environment:
Last Closed: 2016-04-08 15:50:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch to suppress the error messages
none
sshd-keygen script for systemd unit none

Description Yu Watanabe 2016-03-15 00:49:24 UTC
Created attachment 1136342 [details]
patch to suppress the error messages

Description of problem:

If openssh without initscripts package, sshd-keygen scripts shows error message as follows.
%%%%%%%%%%%%%%%%%%%%%%
/usr/sbin/sshd-keygen: line 10: /etc/rc.d/init.d/functions: No such file or directory
Generating SSH2 RSA host key: /usr/sbin/sshd-keygen: line 63: success: command not found

Generating SSH2 ECDSA host key: /usr/sbin/sshd-keygen: line 105: success: command not found

Generating SSH2 ED25519 host key: /usr/sbin/sshd-keygen: line 126: success: command not found

%%%%%%%%%%%%%%%%%%%%%%
This is caused that /etc/rc.d/init.d/functions, which is provided by initscripts package, cannot be loaded. 

Version-Release number of selected component (if applicable):

openssh-7.2p2-1.fc23.x86_64
openssh-7.2p2-1.fc24.x86_64
openssh-7.2p2-1.fc25.x86_64

How reproducible:

Always.

Steps to Reproduce:
1. install openssh without initscripts package
2. run sshd-keygen command
3.

Actual results:

Host keys are created, but the above error messages are shown.

Expected results:

Host keys are created without any error messages.

Additional info:

I attach a patch to suppress the above error messages. Please review it.

Comment 1 Jakub Jelen 2016-03-15 08:06:53 UTC
Thanks. The patch looks good. I will update the packages soon.

Comment 2 Jakub Jelen 2016-03-16 17:05:07 UTC
Petr had idea about rewriting the old "initd bash" sshd-keygen into systemd service (thanks!). I made an attempt to do that, but there are few changes/difficulties:

 * Missing possibility to re-generate the keys using manual invocation. When the original script was invoked before, it removes potentially existing keys before generating new ones. But it was not possible since using systemd as entrypoint (it started only if some of the keys were not in place) and it is ok, probably.

 * Dropping  AUTOCREATE_SERVER_KEYS  variable from  /etc/sysconfig/sshd  and leaving the preference of keys creation only on the systemd  Wants=  directive in  sshd.service  or on symlinks. Enable a key using:

        systemctl enable sshd-config

 * Dropping support for RSA1 key (SSH1), which is gone for good now in Fedora.

 * I was not able to cover condition for FIPS (to exclude ed25519, dsa keys).

Service snippets below. Tested on my box and it seems to work fine, except the ugly listing of status.

Comments are welcomed. Especially from somebody more close to systemd. What do you think?


$ cat sshd-keygen@.service
[Unit]
Description=OpenSSH %i Server Key Generation
ConditionFileNotEmpty=!/etc/ssh/ssh_host_%i_key
PartOf=sshd.service sshd.socket
Before=sshd.service sshd.socket

[Service]
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/bin/ssh-keygen -q -t %i -f /etc/ssh/ssh_host_%i_key -C '' -N ''
ExecStartPost=/usr/bin/chgrp ssh_keys /etc/ssh/ssh_host_%i_key
ExecStartPost=/usr/bin/chmod 640 /etc/ssh/ssh_host_%i_key
ExecStartPost=/usr/bin/chmod 644 /etc/ssh/ssh_host_%i_key.pub
ExecStartPost=-/usr/sbin/restorecon /etc/ssh/ssh_host_%i_key{,.pub}
Type=oneshot
RemainAfterExit=yes


$ cat sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen
Wants=sshd-keygen
Wants=sshd-keygen
[...]

# or the  Wants=  should probably be rather specified as symlinks from  .wants  directory.

Comment 3 Yu Watanabe 2016-03-17 05:07:47 UTC
I notice that anaconda also uses the script.

https://github.com/rhinstaller/anaconda/blob/master/data/systemd/anaconda-sshd.service

Comment 4 Yu Watanabe 2016-03-17 05:52:50 UTC
Created attachment 1137296 [details]
sshd-keygen script for systemd unit

To simplify [Service] section of proposed sshd-keygen@.service, I've tried to write a script. The merits of using the script are
* The script covers FIPS.
* If the system does not have policycoreutils package, 
  which contains restorecon command, systemd does not output error message.

If the attached script is accepted, the unit becomes as follows.

$ cat sshd-keygen@.service
[Unit]
Description=OpenSSH %i Server Key Generation
ConditionFileNotEmpty=!/etc/ssh/ssh_host_%i_key
PartOf=sshd.service sshd.socket
Before=sshd.service sshd.socket

[Service]
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/bin/ssh-keygen-new %i
Type=oneshot
RemainAfterExit=yes

Comment 5 Jakub Jelen 2016-03-31 11:38:08 UTC
Yes. It makes sense on the first sight, but on the other, we will get back where we are now (bash script), but certainly with more flexibility than before (which is also pain in RHEL7 now -- private bug #1228088).

If the systemd guys will not have any complains, I will try to push it forward, but it will certainly need some documentation and guide, since it might not be so obvious.

Comment 6 Fedora Update System 2016-04-06 11:48:42 UTC
openssh-7.2p2-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8629d3fbb0

Comment 7 Fedora Update System 2016-04-06 12:10:57 UTC
openssh-7.2p2-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-90c69a9e2a

Comment 8 Fedora Update System 2016-04-07 16:54:50 UTC
openssh-7.2p2-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8629d3fbb0

Comment 9 Fedora Update System 2016-04-07 21:19:49 UTC
openssh-7.2p2-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-90c69a9e2a

Comment 10 Fedora Update System 2016-04-08 15:50:36 UTC
openssh-7.2p2-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2016-04-08 17:00:08 UTC
openssh-7.2p2-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 PatrickZzzz 2017-08-10 11:13:15 UTC
I've encountered this problem in CentOS 7.3.1611 (Container). Initscripts is installed, but still seeing those errors.

# cat /etc/redhat-release 
CentOS Linux release 7.3.1611 (Core) 

# yum list initscripts
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: mirrors.sohu.com
 * extras: mirrors.aliyun.com
 * updates: ftp.sjtu.edu.cn
Available Packages
initscripts.x86_64                                                                                               
9.49.37-1.el7_3.1 

# yum list openssh-server
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: mirrors.sohu.com
 * extras: mirrors.aliyun.com
 * updates: ftp.sjtu.edu.cn
Installed Packages
openssh-server.x86_64                                                                                                6.6.1p1-35.el7_3 



Below is from journal:

Aug 10 08:11:49 centos7chef1215gem sshd-keygen[68]: /usr/sbin/sshd-keygen: line 10: /etc/rc.d/init.d/functions: No such file or directory
Aug 10 08:11:49 centos7chef1215gem systemd[1]: Started Permit User Sessions.
Aug 10 08:11:49 centos7chef1215gem systemd[1]: Started Getty on tty1.
Aug 10 08:11:49 centos7chef1215gem systemd[1]: Starting Getty on tty1...
Aug 10 08:11:49 centos7chef1215gem systemd[1]: Started Login Service.
Aug 10 08:11:49 centos7chef1215gem systemd-logind[70]: Watching system buttons on /dev/input/event0 (Power Button)
Aug 10 08:11:49 centos7chef1215gem systemd-logind[70]: New seat seat0.
Aug 10 08:11:49 centos7chef1215gem systemd[1]: Started Cleanup of Temporary Directories.
Aug 10 08:11:50 centos7chef1215gem sshd-keygen[68]: Generating SSH2 RSA host key: /usr/sbin/sshd-keygen: line 63: success: command not found
Aug 10 08:11:50 centos7chef1215gem sshd-keygen[68]: Generating SSH2 ECDSA host key: /usr/sbin/sshd-keygen: line 105: success: command not found
Aug 10 08:11:50 centos7chef1215gem sshd-keygen[68]: Generating SSH2 ED25519 host key: /usr/sbin/sshd-keygen: line 126: success: command not found
Aug 10 08:11:50 centos7chef1215gem systemd[1]: Started OpenSSH Server Key Generation.
Aug 10 08:11:50 centos7chef1215gem systemd[1]: Starting OpenSSH server daemon...
Aug 10 08:11:50 centos7chef1215gem sshd[394]: Server listening on 0.0.0.0 port 22.
Aug 10 08:11:50 centos7chef1215gem sshd[394]: Server listening on :: port 22.
Aug 10 08:11:50 centos7chef1215gem systemd[1]: Started OpenSSH server daemon.

Comment 13 Jakub Jelen 2017-08-11 06:56:47 UTC
This is a Fedora bug so it does not affect RHEL nor CentOS in any way.