Created attachment 1156130 [details] Snap of error Description of problem: sshd-keygen loaded in failed state Version-Release number of selected component (if applicable): Fedora 24 Beta How reproducible: Steps to Reproduce: 1.Used Fedora-Cloud-Base-24_Beta 2.Generated the key 3.Accessed using fedora user 4.systemctl --all --failed Actual results: ssshd-keygen failed Expected results: All services should start properly Additional info:
Can you provide more information how you "used Fedora-Cloud-Base-24_Beta"? And logs from systemd why this service didn't start properly? Also with kernel/systemd debug switch should tell us more about the problem.
(In reply to Jakub Jelen from comment #1) > Can you provide more information how you "used Fedora-Cloud-Base-24_Beta"? > And logs from systemd why this service didn't start properly? Also with > kernel/systemd debug switch should tell us more about the problem. ● sshd-keygen - OpenSSH ecdsa Server Key Generation Loaded: loaded (/usr/lib/systemd/system/sshd-keygen@.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-05-11 17:43:51 UTC; 15h ago Process: 864 ExecStart=/usr/libexec/openssh/sshd-keygen %i (code=exited, status=1/FAILURE) Main PID: 864 (code=exited, status=1/FAILURE) May 11 17:43:50 testday.novalocal systemd[1]: Starting OpenSSH ecdsa Server Key Generation... May 11 17:43:51 testday.novalocal systemd[1]: sshd-keygen: Main process exited, code=exited, status=1/FAILURE May 11 17:43:51 testday.novalocal systemd[1]: Failed to start OpenSSH ecdsa Server Key Generation. May 11 17:43:51 testday.novalocal systemd[1]: sshd-keygen: Unit entered failed state. May 11 17:43:51 testday.novalocal systemd[1]: sshd-keygen: Failed with result 'exit-code'.
sshd-keygen fails with exit status=1 when ssh-keygen fails: # create new keys if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then exit 1 fi Do you see some SELinux AVCs or in audit? How do the labels on keys look like? ls -lZ /etc/ssh/ssh_host_* It might be also the problem with labels on /usr/libexec/openssh/sshd-keygen there is bin_t but should be sshd_keygen_exec_t (that should have been handled earlier too). But I am wondering why it does happen only for ecdsa keys. It might be possible that even the rm fails earlier: # remove old keys rm -f $KEY{,.pub} Can you reproduce it after changing context? chcon -t sshd_keygen_exec_t /usr/libexec/openssh/sshd-keygen We should certainly fix this one.
I would be really curious in what state is your system to do such things. Moving to SELinux policy. Lukas, we need probably the same SELinux context on /usr/libexec/openssh/sshd-keygen as it is currently on /usr/sbin/sshd-keygen This file will go away, but no earlier than in Fedora 25.
selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-43d1395a18
selinux-policy-3.13.1-188.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3ccd9afa2f
selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.