Red Hat Bugzilla – Bug 28611
sshd_config syntax changes in 2.5.1p1 -> condrestart kills sshd.
Last modified: 2008-05-01 11:37:59 EDT
2.5.1p1 from Rawhide.
sshd_config syntax has changed a bit; some old definitions have been obsoleted etc.
New sshd_config is installed with %noreplace.
Thus, condrestart done after rpm -Uvh kills sshd. Undesirable :-/
I wonder if there's a reliable way to change this. Some perl -pi tricks would help some, but
in some cases (e.g. skey, tis -> both to challengeresponseauth) this might also create problems due to
I wonder if a trigger (upgrade from <2.5.0) could prevent condrestart and echo a warning.
Attached is a patch to add 'sshd -t' functionility which checks the validity of the configuration file
and sanity of the host keys.
Adding a test using this to some point at post-installation, and echoing a warning message (for those that might
be updating by hand) might help a bit.
This will probably show up in OpenSSH proper.
[killed sshd sessions are actually rather irritating, so raising severity]
Created attachment 10642 [details]
sshd -t functionality for config sanity checking
This defect is considered MUST-FIX for Florence Release-Candidate #2
The getenv() thing may force a 2.5.1p2 within the next week or so.
...but discussion on the developer list indicates that this would be implemented
post-2.5.1, so I'll be looking at it more today.
Have you actually gotten sshd to not restart properly? I can get it to not load
the v2 keys using the older configuration file, but the built-in option aliasing
code is handling the rest of my test config admirably.
Umm. Sorry for jumping the gun. Updating beta4 to openssh-2.5.1p1 _did_ kill my sshd for some
reason so I couldn't connect, but I can't reproduce it now.
Also, the code (readconf.c) seems a lot more friendly about old, obsolete options than I thought.
I suspect you got hit with some initscripts changing that caused the "stop" to
kill *all* running processes named sshd. That was reverted yesterday, IIRC, so
you'll see the change in today's refresh. The new initscripts may also
alleviate part of the hanging-on-exit problem (the part where a daemon restart
would cause the connection to hang at stop).
Well, the migration issue has been sorted out, so far as I can tell. Closing.
The patch for the -t option should be integrated into 2.9p2-7 and later. Thanks!