Bug 810419

Summary: sshd.service active after boot (even though it is disabled)
Product: [Fedora] Fedora Reporter: Volker Sobek <reklov>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 17CC: dennis, mattias.ellert, mgrepl, plautrba, robatino, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-5.9p1-22.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-12 02:04:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Volker Sobek 2012-04-06 02:39:12 UTC 
Description of problem:

I have:
$ sudo systemctl status sshd.service 
sshd.service - OpenSSH server daemon
	  Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled)
	  Active: active (running) since Fri, 06 Apr 2012 04:09:08 +0200; 46s ago
	Main PID: 855 (sshd)
	  CGroup: name=systemd:/system/sshd.service
		  └ 855 /usr/sbin/sshd -D

But after rebooting I get the same result (sshd.target is disabled but active).


Version-Release number of selected component (if applicable):

Up-to-date Fedora 17

How reproducible:

Steps to Reproduce:
Boot/Reboot F17
 
Actual results:
sshd.target is active

Expected results:
sshd.target is inactive

Additional info:
Comment 1 Volker Sobek 2012-04-06 03:38:42 UTC 
Disabling sshd-keygen.service 'fixes' the bug.

Seems to me like 'BindTo=sshd.service' in the file sshd-keygen.service is wrong because it activates sshd.service.

$ cat /usr/lib/systemd/system/sshd-keygen.service 
[Unit]
Description=SSH server keys generation.
After=syslog.target
Before=sshd.service
BindTo=sshd.service

[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd-keygen
RemainAfterExit=yes
/usr/lib/systemd/system/sshd-keygen.service 


Notice the fix for bug

https://bugzilla.redhat.com/show_bug.cgi?id=805338 (openssh-server unconditionally installs sshd-keygen.service, slows down boot)

which should also fix/influence this bug here. (I haven't tested the update yet).
Comment 2 Volker Sobek 2012-04-06 03:52:37 UTC 
So this bug seems to be a result of bug https://bugzilla.redhat.com/show_bug.cgi?id=805338, because having sshd-keygen.service in multi-user.target seems to be the wrong approach.

I'll leave this bug here open until the fix is up, because it addresses a separate issue: sshd running after boot.
Comment 3 Volker Sobek 2012-04-06 04:14:50 UTC 
Actually the update is already in testing and I have/had it installed, it just seems that the the update process didn't remove symlinks or something like that ... ?
Comment 4 Petr Lautrbach 2012-04-06 07:47:08 UTC 
(In reply to comment #3)
> Actually the update is already in testing and I have/had it installed, it just
> seems that the the update process didn't remove symlinks or something like that
> ... ?

I decided to not call disable on ssh-keygen.service during update and let users to disable it themselves, but it seems to be wrong decision.

> Disabling sshd-keygen.service 'fixes' the bug.

Yes.

> 
> Seems to me like 'BindTo=sshd.service' in the file sshd-keygen.service is wrong
> because it activates sshd.service.

'BindTo=sshd.service' is needed. ssh-keygen,service is oneshot and stays after exit in running state. And as we need to start ssh-keygen.service every time sshd.service starts, so we need to stop ssh-keygen.service together with sshd.service. Unfortunately there is side effect that sshd.service is started even if sshd-keygen.service is started manually.
Comment 5 Petr Lautrbach 2012-04-06 19:30:44 UTC 
I've removed sshd-keygen.service completely. sshd-keygen is run from sshd.service now:

# cat /usr/lib/systemd/system/sshd.service 
[Unit]
Description=OpenSSH server daemon
After=syslog.target network.target auditd.service

[Service]
EnvironmentFile=/etc/sysconfig/sshd
ExecStartPre=/usr/sbin/sshd-keygen
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target
Comment 6 Fedora Update System 2012-04-06 19:40:43 UTC 
openssh-5.9p1-22.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/openssh-5.9p1-22.fc17
Comment 7 Fedora Update System 2012-04-06 23:24:45 UTC 
Package openssh-5.9p1-22.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-5.9p1-22.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-5485/openssh-5.9p1-22.fc17
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2012-04-12 02:04:42 UTC 
openssh-5.9p1-22.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.