Bug 758535

Summary: Restarting sshd kills current sessions
Product: [Fedora] Fedora Reporter: Konstantin Svist <fry.kun>
Component: systemdAssignee: systemd-maint
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 16CC: johannbg, lpoetter, metherid, notting, plautrba, systemd-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-01 10:16:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Konstantin Svist 2011-11-30 01:11:41 UTC 
Description of problem:
Old behavior of sshd restart was such that existing sessions kept running until disconnected. New behavior makes administering remote machines much harder.

[root@mach ~]# systemctl restart sshd.service 
Connection to mach closed by remote host.
Connection to mach closed.


Version-Release number of selected component (if applicable):
openssh-server 5.8p2-22.fc16
systemd 37-3.fc16

How reproducible:
every time

Steps to Reproduce:
1. ssh into remote F16 machine
2. run "systemctl restar sshd.service"

  
Actual results:
Session is immediately teminated, have to log in again (probably impossible if ran "systemctl stop sshd.service" by accident)

Expected results:
Session should remain open

Additional info:
Comment 1 Petr Lautrbach 2011-11-30 11:03:24 UTC 
How does your /etc/pam.d/sshd and /etc/pam.d/password-auth look like? Do you have 'UsePam yes' in /etc/ssh/sshd_config? See bug #757545
Comment 2 Konstantin Svist 2011-11-30 17:23:19 UTC 
sshd_config indeed uses old configuration with "UsePam no"
This server has a policy of only allowing logins using asymmetric keys -- will pam cause password logins to be allowed?

PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no
Comment 3 Petr Lautrbach 2011-12-01 10:16:09 UTC 
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.

So with your configuration, PAM is used only for account and session checks and password logins are not enabled.

*** This bug has been marked as a duplicate of bug 757545 ***