Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1112691 - ipa-server-install break sshd
ipa-server-install break sshd
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
:
Depends On:
Blocks: 1201454
  Show dependency treegraph
 
Reported: 2014-06-24 09:40 EDT by Martin Kosek
Modified: 2015-03-17 08:17 EDT (History)
5 users (show)

See Also:
Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 05:12:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 09:50:39 EST

  None (edit)
Description Martin Kosek 2014-06-24 09:40:33 EDT 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4373

Just ran ipa-server install on to different Fedora20 machines:

THe second time, I was able to log in and see why sshd stopped running.   

From /var/log/messages


Jun 10 23:04:17 ipa sshd: /etc/ssh/sshd_config line 156: Bad yes/no argument: noKerberosAuthentication


When I edited that file, I saw  two lines were concatenated, as if a newline had been missed:

{{{
UseDNS noKerberosAuthentication no
PubkeyAuthentication yes
}}}

Once this fails, you cannot log into the machine.  sshd will not start.  With an OpenStack install, this is a fatal error:  the machine is unusable afterwards.


The workaround is to edit the file by hand and restart sshd.
Comment 1 Martin Kosek 2014-06-26 06:11:06 EDT 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/3e0245f28fe3f294f21b8d0cc298b1901119921d

Tested with ipa-client-install after I removed the trailing new line in /etc/ssh/sshd_config with:

# perl -i -pe 'chomp if eof' /etc/ssh/sshd_config

With this fix, the sshd_config is no longer broken.
Comment 3 Kaleem 2014-12-17 06:30:49 EST 
How to QE can verify this?
Comment 4 Martin Kosek 2014-12-17 07:54:03 EST 
See https://bugzilla.redhat.com/show_bug.cgi?id=1112691#c1.
Comment 5 Jenny Galipeau 2015-01-27 09:32:40 EST 
Post IPA server install

UseDNS is commented out in the /etc/ssh/sshd_config


Configuration around line 156 ...

KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
AuthorizedKeysCommandUser nobody

sshd service restarts without issue


service is running

# systemctl status  sshd.service
sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: active (running) since Tue 2015-01-27 09:27:54 EST; 5s ago
 Main PID: 24314 (sshd)
   CGroup: /system.slice/sshd.service
           └─24314 /usr/sbin/sshd -D

Jan 27 09:27:54 ibm-x3250m4-05.testrelm.test systemd[1]: Starting OpenSSH server daemon...
Jan 27 09:27:54 ibm-x3250m4-05.testrelm.test systemd[1]: Started OpenSSH server daemon.
Jan 27 09:27:54 ibm-x3250m4-05.testrelm.test sshd[24314]: Server listening on 0.0.0.0 port 22.
Jan 27 09:27:54 ibm-x3250m4-05.testrelm.test sshd[24314]: Server listening on :: port 22.


Service stops are starts without issue

# systemctl stop  sshd.service

# systemctl status  sshd.service
sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: inactive (dead) since Tue 2015-01-27 09:29:35 EST; 5s ago
  Process: 24323 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 24323 (code=exited, status=0/SUCCESS)

Jan 27 09:29:18 ibm-x3250m4-05.testrelm.test systemd[1]: Starting OpenSSH server daemon...
Jan 27 09:29:18 ibm-x3250m4-05.testrelm.test systemd[1]: Started OpenSSH server daemon.
Jan 27 09:29:18 ibm-x3250m4-05.testrelm.test sshd[24323]: Server listening on 0.0.0.0 port 22.
Jan 27 09:29:18 ibm-x3250m4-05.testrelm.test sshd[24323]: Server listening on :: port 22.
Jan 27 09:29:35 ibm-x3250m4-05.testrelm.test systemd[1]: Stopping OpenSSH server daemon...
Jan 27 09:29:35 ibm-x3250m4-05.testrelm.test sshd[24323]: Received signal 15; terminating.
Jan 27 09:29:35 ibm-x3250m4-05.testrelm.test systemd[1]: Stopped OpenSSH server daemon.


# systemctl start  sshd.service

# systemctl status  sshd.service
sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: active (running) since Tue 2015-01-27 09:29:48 EST; 6s ago
 Main PID: 24330 (sshd)
   CGroup: /system.slice/sshd.service
           └─24330 /usr/sbin/sshd -D

Jan 27 09:29:48 ibm-x3250m4-05.testrelm.test systemd[1]: Starting OpenSSH server daemon...
Jan 27 09:29:48 ibm-x3250m4-05.testrelm.test systemd[1]: Started OpenSSH server daemon.
Jan 27 09:29:48 ibm-x3250m4-05.testrelm.test sshd[24330]: Server listening on 0.0.0.0 port 22.
Jan 27 09:29:48 ibm-x3250m4-05.testrelm.test sshd[24330]: Server listening on :: port 22.

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.1 Beta (Maipo)

# rpm -q ipa-server
ipa-server-4.1.0-16.el7.x86_64

Is this enough to verify this bug?
Comment 7 Martin Kosek 2015-01-28 04:19:59 EST 
If you updated sshd_config before IPA installation to miss the final line break (as described in Comment 1), then yes.
Comment 9 errata-xmlrpc 2015-03-05 05:12:43 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.