1112691 – ipa-server-install break sshd

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1112691 - ipa-server-install break sshd

Summary: ipa-server-install break sshd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1201454
TreeView+	depends on / blocked

Reported:	2014-06-24 13:40 UTC by Martin Kosek
Modified:	2015-03-17 12:17 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-4.0.3-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:12:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Martin Kosek 2014-06-24 13:40:33 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4373

Just ran ipa-server install on to different Fedora20 machines:

THe second time, I was able to log in and see why sshd stopped running.   

From /var/log/messages


Jun 10 23:04:17 ipa sshd: /etc/ssh/sshd_config line 156: Bad yes/no argument: noKerberosAuthentication


When I edited that file, I saw  two lines were concatenated, as if a newline had been missed:

{{{
UseDNS noKerberosAuthentication no
PubkeyAuthentication yes
}}}

Once this fails, you cannot log into the machine.  sshd will not start.  With an OpenStack install, this is a fatal error:  the machine is unusable afterwards.


The workaround is to edit the file by hand and restart sshd.

Comment 1 Martin Kosek 2014-06-26 10:11:06 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/3e0245f28fe3f294f21b8d0cc298b1901119921d

Tested with ipa-client-install after I removed the trailing new line in /etc/ssh/sshd_config with:

# perl -i -pe 'chomp if eof' /etc/ssh/sshd_config

With this fix, the sshd_config is no longer broken.

Comment 3 Kaleem 2014-12-17 11:30:49 UTC

How to QE can verify this?

Comment 4 Martin Kosek 2014-12-17 12:54:03 UTC

See https://bugzilla.redhat.com/show_bug.cgi?id=1112691#c1.

Comment 5 Jenny Severance 2015-01-27 14:32:40 UTC

Post IPA server install

UseDNS is commented out in the /etc/ssh/sshd_config


Configuration around line 156 ...

KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
AuthorizedKeysCommandUser nobody

sshd service restarts without issue


service is running

# systemctl status  sshd.service
sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: active (running) since Tue 2015-01-27 09:27:54 EST; 5s ago
 Main PID: 24314 (sshd)
   CGroup: /system.slice/sshd.service
           └─24314 /usr/sbin/sshd -D

Jan 27 09:27:54 ibm-x3250m4-05.testrelm.test systemd[1]: Starting OpenSSH server daemon...
Jan 27 09:27:54 ibm-x3250m4-05.testrelm.test systemd[1]: Started OpenSSH server daemon.
Jan 27 09:27:54 ibm-x3250m4-05.testrelm.test sshd[24314]: Server listening on 0.0.0.0 port 22.
Jan 27 09:27:54 ibm-x3250m4-05.testrelm.test sshd[24314]: Server listening on :: port 22.


Service stops are starts without issue

# systemctl stop  sshd.service

# systemctl status  sshd.service
sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: inactive (dead) since Tue 2015-01-27 09:29:35 EST; 5s ago
  Process: 24323 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 24323 (code=exited, status=0/SUCCESS)

Jan 27 09:29:18 ibm-x3250m4-05.testrelm.test systemd[1]: Starting OpenSSH server daemon...
Jan 27 09:29:18 ibm-x3250m4-05.testrelm.test systemd[1]: Started OpenSSH server daemon.
Jan 27 09:29:18 ibm-x3250m4-05.testrelm.test sshd[24323]: Server listening on 0.0.0.0 port 22.
Jan 27 09:29:18 ibm-x3250m4-05.testrelm.test sshd[24323]: Server listening on :: port 22.
Jan 27 09:29:35 ibm-x3250m4-05.testrelm.test systemd[1]: Stopping OpenSSH server daemon...
Jan 27 09:29:35 ibm-x3250m4-05.testrelm.test sshd[24323]: Received signal 15; terminating.
Jan 27 09:29:35 ibm-x3250m4-05.testrelm.test systemd[1]: Stopped OpenSSH server daemon.


# systemctl start  sshd.service

# systemctl status  sshd.service
sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: active (running) since Tue 2015-01-27 09:29:48 EST; 6s ago
 Main PID: 24330 (sshd)
   CGroup: /system.slice/sshd.service
           └─24330 /usr/sbin/sshd -D

Jan 27 09:29:48 ibm-x3250m4-05.testrelm.test systemd[1]: Starting OpenSSH server daemon...
Jan 27 09:29:48 ibm-x3250m4-05.testrelm.test systemd[1]: Started OpenSSH server daemon.
Jan 27 09:29:48 ibm-x3250m4-05.testrelm.test sshd[24330]: Server listening on 0.0.0.0 port 22.
Jan 27 09:29:48 ibm-x3250m4-05.testrelm.test sshd[24330]: Server listening on :: port 22.

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.1 Beta (Maipo)

# rpm -q ipa-server
ipa-server-4.1.0-16.el7.x86_64

Is this enough to verify this bug?

Comment 7 Martin Kosek 2015-01-28 09:19:59 UTC

If you updated sshd_config before IPA installation to miss the final line break (as described in Comment 1), then yes.

Comment 9 errata-xmlrpc 2015-03-05 10:12:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.