Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1112691

Summary: ipa-server-install break sshd
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: jgalipea, jmontleo, ksiddiqu, mkosek, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.0.3-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:12:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1201454    

Description Martin Kosek 2014-06-24 13:40:33 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4373

Just ran ipa-server install on to different Fedora20 machines:

THe second time, I was able to log in and see why sshd stopped running.   

From /var/log/messages


Jun 10 23:04:17 ipa sshd: /etc/ssh/sshd_config line 156: Bad yes/no argument: noKerberosAuthentication


When I edited that file, I saw  two lines were concatenated, as if a newline had been missed:

{{{
UseDNS noKerberosAuthentication no
PubkeyAuthentication yes
}}}

Once this fails, you cannot log into the machine.  sshd will not start.  With an OpenStack install, this is a fatal error:  the machine is unusable afterwards.


The workaround is to edit the file by hand and restart sshd.
Comment 1 Martin Kosek 2014-06-26 10:11:06 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/3e0245f28fe3f294f21b8d0cc298b1901119921d

Tested with ipa-client-install after I removed the trailing new line in /etc/ssh/sshd_config with:

# perl -i -pe 'chomp if eof' /etc/ssh/sshd_config

With this fix, the sshd_config is no longer broken.
Comment 3 Kaleem 2014-12-17 11:30:49 UTC 
How to QE can verify this?
Comment 4 Martin Kosek 2014-12-17 12:54:03 UTC 
See https://bugzilla.redhat.com/show_bug.cgi?id=1112691#c1.
Comment 5 Jenny Severance 2015-01-27 14:32:40 UTC 
Post IPA server install

UseDNS is commented out in the /etc/ssh/sshd_config


Configuration around line 156 ...

KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
AuthorizedKeysCommandUser nobody

sshd service restarts without issue


service is running

# systemctl status  sshd.service
sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: active (running) since Tue 2015-01-27 09:27:54 EST; 5s ago
 Main PID: 24314 (sshd)
   CGroup: /system.slice/sshd.service
           └─24314 /usr/sbin/sshd -D

Jan 27 09:27:54 ibm-x3250m4-05.testrelm.test systemd[1]: Starting OpenSSH server daemon...
Jan 27 09:27:54 ibm-x3250m4-05.testrelm.test systemd[1]: Started OpenSSH server daemon.
Jan 27 09:27:54 ibm-x3250m4-05.testrelm.test sshd[24314]: Server listening on 0.0.0.0 port 22.
Jan 27 09:27:54 ibm-x3250m4-05.testrelm.test sshd[24314]: Server listening on :: port 22.


Service stops are starts without issue

# systemctl stop  sshd.service

# systemctl status  sshd.service
sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: inactive (dead) since Tue 2015-01-27 09:29:35 EST; 5s ago
  Process: 24323 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 24323 (code=exited, status=0/SUCCESS)

Jan 27 09:29:18 ibm-x3250m4-05.testrelm.test systemd[1]: Starting OpenSSH server daemon...
Jan 27 09:29:18 ibm-x3250m4-05.testrelm.test systemd[1]: Started OpenSSH server daemon.
Jan 27 09:29:18 ibm-x3250m4-05.testrelm.test sshd[24323]: Server listening on 0.0.0.0 port 22.
Jan 27 09:29:18 ibm-x3250m4-05.testrelm.test sshd[24323]: Server listening on :: port 22.
Jan 27 09:29:35 ibm-x3250m4-05.testrelm.test systemd[1]: Stopping OpenSSH server daemon...
Jan 27 09:29:35 ibm-x3250m4-05.testrelm.test sshd[24323]: Received signal 15; terminating.
Jan 27 09:29:35 ibm-x3250m4-05.testrelm.test systemd[1]: Stopped OpenSSH server daemon.


# systemctl start  sshd.service

# systemctl status  sshd.service
sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: active (running) since Tue 2015-01-27 09:29:48 EST; 6s ago
 Main PID: 24330 (sshd)
   CGroup: /system.slice/sshd.service
           └─24330 /usr/sbin/sshd -D

Jan 27 09:29:48 ibm-x3250m4-05.testrelm.test systemd[1]: Starting OpenSSH server daemon...
Jan 27 09:29:48 ibm-x3250m4-05.testrelm.test systemd[1]: Started OpenSSH server daemon.
Jan 27 09:29:48 ibm-x3250m4-05.testrelm.test sshd[24330]: Server listening on 0.0.0.0 port 22.
Jan 27 09:29:48 ibm-x3250m4-05.testrelm.test sshd[24330]: Server listening on :: port 22.

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.1 Beta (Maipo)

# rpm -q ipa-server
ipa-server-4.1.0-16.el7.x86_64

Is this enough to verify this bug?
Comment 7 Martin Kosek 2015-01-28 09:19:59 UTC 
If you updated sshd_config before IPA installation to miss the final line break (as described in Comment 1), then yes.
Comment 9 errata-xmlrpc 2015-03-05 10:12:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html