Bug 810419
Summary: | sshd.service active after boot (even though it is disabled) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Volker Sobek <reklov> |
Component: | openssh | Assignee: | Petr Lautrbach <plautrba> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | dennis, mattias.ellert, mgrepl, plautrba, robatino, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openssh-5.9p1-22.fc17 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-04-12 02:04:42 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Volker Sobek
2012-04-06 02:39:12 UTC
Disabling sshd-keygen.service 'fixes' the bug. Seems to me like 'BindTo=sshd.service' in the file sshd-keygen.service is wrong because it activates sshd.service. $ cat /usr/lib/systemd/system/sshd-keygen.service [Unit] Description=SSH server keys generation. After=syslog.target Before=sshd.service BindTo=sshd.service [Service] Type=oneshot EnvironmentFile=/etc/sysconfig/sshd ExecStart=/usr/sbin/sshd-keygen RemainAfterExit=yes /usr/lib/systemd/system/sshd-keygen.service Notice the fix for bug https://bugzilla.redhat.com/show_bug.cgi?id=805338 (openssh-server unconditionally installs sshd-keygen.service, slows down boot) which should also fix/influence this bug here. (I haven't tested the update yet). So this bug seems to be a result of bug https://bugzilla.redhat.com/show_bug.cgi?id=805338, because having sshd-keygen.service in multi-user.target seems to be the wrong approach. I'll leave this bug here open until the fix is up, because it addresses a separate issue: sshd running after boot. Actually the update is already in testing and I have/had it installed, it just seems that the the update process didn't remove symlinks or something like that ... ? (In reply to comment #3) > Actually the update is already in testing and I have/had it installed, it just > seems that the the update process didn't remove symlinks or something like that > ... ? I decided to not call disable on ssh-keygen.service during update and let users to disable it themselves, but it seems to be wrong decision. > Disabling sshd-keygen.service 'fixes' the bug. Yes. > > Seems to me like 'BindTo=sshd.service' in the file sshd-keygen.service is wrong > because it activates sshd.service. 'BindTo=sshd.service' is needed. ssh-keygen,service is oneshot and stays after exit in running state. And as we need to start ssh-keygen.service every time sshd.service starts, so we need to stop ssh-keygen.service together with sshd.service. Unfortunately there is side effect that sshd.service is started even if sshd-keygen.service is started manually. I've removed sshd-keygen.service completely. sshd-keygen is run from sshd.service now: # cat /usr/lib/systemd/system/sshd.service [Unit] Description=OpenSSH server daemon After=syslog.target network.target auditd.service [Service] EnvironmentFile=/etc/sysconfig/sshd ExecStartPre=/usr/sbin/sshd-keygen ExecStart=/usr/sbin/sshd -D $OPTIONS ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target openssh-5.9p1-22.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/openssh-5.9p1-22.fc17 Package openssh-5.9p1-22.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openssh-5.9p1-22.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-5485/openssh-5.9p1-22.fc17 then log in and leave karma (feedback). openssh-5.9p1-22.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |