Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1317722
Summary: | remove /etc/rc.d/init.d/function dependency from sshd-keygen script | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Yu Watanabe <watanabe.yu> | ||||||
Component: | openssh | Assignee: | Jakub Jelen <jjelen> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 23 | CC: | honglzh, jjelen, mattias.ellert, mgrepl, pasik, plautrba, systemd-maint, tmraz, watanabe.yu | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | openssh-7.2p2-2.fc23 openssh-7.2p2-2.fc24 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | |||||||||
: | 1325535 (view as bug list) | Environment: | |||||||
Last Closed: | 2016-04-08 15:50:43 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Thanks. The patch looks good. I will update the packages soon. Petr had idea about rewriting the old "initd bash" sshd-keygen into systemd service (thanks!). I made an attempt to do that, but there are few changes/difficulties: * Missing possibility to re-generate the keys using manual invocation. When the original script was invoked before, it removes potentially existing keys before generating new ones. But it was not possible since using systemd as entrypoint (it started only if some of the keys were not in place) and it is ok, probably. * Dropping AUTOCREATE_SERVER_KEYS variable from /etc/sysconfig/sshd and leaving the preference of keys creation only on the systemd Wants= directive in sshd.service or on symlinks. Enable a key using: systemctl enable sshd-config * Dropping support for RSA1 key (SSH1), which is gone for good now in Fedora. * I was not able to cover condition for FIPS (to exclude ed25519, dsa keys). Service snippets below. Tested on my box and it seems to work fine, except the ugly listing of status. Comments are welcomed. Especially from somebody more close to systemd. What do you think? $ cat sshd-keygen@.service [Unit] Description=OpenSSH %i Server Key Generation ConditionFileNotEmpty=!/etc/ssh/ssh_host_%i_key PartOf=sshd.service sshd.socket Before=sshd.service sshd.socket [Service] EnvironmentFile=-/etc/sysconfig/sshd ExecStart=/usr/bin/ssh-keygen -q -t %i -f /etc/ssh/ssh_host_%i_key -C '' -N '' ExecStartPost=/usr/bin/chgrp ssh_keys /etc/ssh/ssh_host_%i_key ExecStartPost=/usr/bin/chmod 640 /etc/ssh/ssh_host_%i_key ExecStartPost=/usr/bin/chmod 644 /etc/ssh/ssh_host_%i_key.pub ExecStartPost=-/usr/sbin/restorecon /etc/ssh/ssh_host_%i_key{,.pub} Type=oneshot RemainAfterExit=yes $ cat sshd.service [Unit] Description=OpenSSH server daemon Documentation=man:sshd(8) man:sshd_config(5) After=network.target sshd-keygen.service Wants=sshd-keygen Wants=sshd-keygen Wants=sshd-keygen [...] # or the Wants= should probably be rather specified as symlinks from .wants directory. I notice that anaconda also uses the script. https://github.com/rhinstaller/anaconda/blob/master/data/systemd/anaconda-sshd.service Created attachment 1137296 [details]
sshd-keygen script for systemd unit
To simplify [Service] section of proposed sshd-keygen@.service, I've tried to write a script. The merits of using the script are
* The script covers FIPS.
* If the system does not have policycoreutils package,
which contains restorecon command, systemd does not output error message.
If the attached script is accepted, the unit becomes as follows.
$ cat sshd-keygen@.service
[Unit]
Description=OpenSSH %i Server Key Generation
ConditionFileNotEmpty=!/etc/ssh/ssh_host_%i_key
PartOf=sshd.service sshd.socket
Before=sshd.service sshd.socket
[Service]
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/bin/ssh-keygen-new %i
Type=oneshot
RemainAfterExit=yes
Yes. It makes sense on the first sight, but on the other, we will get back where we are now (bash script), but certainly with more flexibility than before (which is also pain in RHEL7 now -- private bug #1228088). If the systemd guys will not have any complains, I will try to push it forward, but it will certainly need some documentation and guide, since it might not be so obvious. openssh-7.2p2-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8629d3fbb0 openssh-7.2p2-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-90c69a9e2a openssh-7.2p2-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8629d3fbb0 openssh-7.2p2-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-90c69a9e2a openssh-7.2p2-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. openssh-7.2p2-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. I've encountered this problem in CentOS 7.3.1611 (Container). Initscripts is installed, but still seeing those errors. # cat /etc/redhat-release CentOS Linux release 7.3.1611 (Core) # yum list initscripts Loaded plugins: fastestmirror, ovl Loading mirror speeds from cached hostfile * base: mirrors.sohu.com * extras: mirrors.aliyun.com * updates: ftp.sjtu.edu.cn Available Packages initscripts.x86_64 9.49.37-1.el7_3.1 # yum list openssh-server Loaded plugins: fastestmirror, ovl Loading mirror speeds from cached hostfile * base: mirrors.sohu.com * extras: mirrors.aliyun.com * updates: ftp.sjtu.edu.cn Installed Packages openssh-server.x86_64 6.6.1p1-35.el7_3 Below is from journal: Aug 10 08:11:49 centos7chef1215gem sshd-keygen[68]: /usr/sbin/sshd-keygen: line 10: /etc/rc.d/init.d/functions: No such file or directory Aug 10 08:11:49 centos7chef1215gem systemd[1]: Started Permit User Sessions. Aug 10 08:11:49 centos7chef1215gem systemd[1]: Started Getty on tty1. Aug 10 08:11:49 centos7chef1215gem systemd[1]: Starting Getty on tty1... Aug 10 08:11:49 centos7chef1215gem systemd[1]: Started Login Service. Aug 10 08:11:49 centos7chef1215gem systemd-logind[70]: Watching system buttons on /dev/input/event0 (Power Button) Aug 10 08:11:49 centos7chef1215gem systemd-logind[70]: New seat seat0. Aug 10 08:11:49 centos7chef1215gem systemd[1]: Started Cleanup of Temporary Directories. Aug 10 08:11:50 centos7chef1215gem sshd-keygen[68]: Generating SSH2 RSA host key: /usr/sbin/sshd-keygen: line 63: success: command not found Aug 10 08:11:50 centos7chef1215gem sshd-keygen[68]: Generating SSH2 ECDSA host key: /usr/sbin/sshd-keygen: line 105: success: command not found Aug 10 08:11:50 centos7chef1215gem sshd-keygen[68]: Generating SSH2 ED25519 host key: /usr/sbin/sshd-keygen: line 126: success: command not found Aug 10 08:11:50 centos7chef1215gem systemd[1]: Started OpenSSH Server Key Generation. Aug 10 08:11:50 centos7chef1215gem systemd[1]: Starting OpenSSH server daemon... Aug 10 08:11:50 centos7chef1215gem sshd[394]: Server listening on 0.0.0.0 port 22. Aug 10 08:11:50 centos7chef1215gem sshd[394]: Server listening on :: port 22. Aug 10 08:11:50 centos7chef1215gem systemd[1]: Started OpenSSH server daemon. This is a Fedora bug so it does not affect RHEL nor CentOS in any way. |
Created attachment 1136342 [details] patch to suppress the error messages Description of problem: If openssh without initscripts package, sshd-keygen scripts shows error message as follows. %%%%%%%%%%%%%%%%%%%%%% /usr/sbin/sshd-keygen: line 10: /etc/rc.d/init.d/functions: No such file or directory Generating SSH2 RSA host key: /usr/sbin/sshd-keygen: line 63: success: command not found Generating SSH2 ECDSA host key: /usr/sbin/sshd-keygen: line 105: success: command not found Generating SSH2 ED25519 host key: /usr/sbin/sshd-keygen: line 126: success: command not found %%%%%%%%%%%%%%%%%%%%%% This is caused that /etc/rc.d/init.d/functions, which is provided by initscripts package, cannot be loaded. Version-Release number of selected component (if applicable): openssh-7.2p2-1.fc23.x86_64 openssh-7.2p2-1.fc24.x86_64 openssh-7.2p2-1.fc25.x86_64 How reproducible: Always. Steps to Reproduce: 1. install openssh without initscripts package 2. run sshd-keygen command 3. Actual results: Host keys are created, but the above error messages are shown. Expected results: Host keys are created without any error messages. Additional info: I attach a patch to suppress the above error messages. Please review it.