Ubuntu
freeipa package

Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default

Bug #2061055 reported by Martin Pitt
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Fix Released
Undecided
Unassigned
openssh (Ubuntu)
Triaged
Undecided
Unassigned

Bug Description

Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu:

2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service']
2024-04-12T03:10:57Z DEBUG Process finished, return code=4

(in /var/log/ipaclient-install.log)

While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't.

But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up:

# systemctl status sshd.service
Unit sshd.service could not be found.

So if ssh.service is already running, it never gets restarted by "ipa-client-install".

It would be really good to make that alias work by default -- if nothing else, just ship the symlink in the .deb, or create the symlink manually in the postinst?

freeipa-client 4.10.2-2ubuntu3
openssh-server 1:9.6p1-3ubuntu12

Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias:
https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d
We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this.

See original description
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

well, there is a way to map service names from the default ones to what the platform has, so I'll add a mapping sshd->ssh.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

this should fail also on Debian, right?

Revision history for this message
Martin Pitt (pitti) wrote :

Timo: It doesn't fail on Debian. See the "That works in Debian because.." in the description (TL/DR: Debian doesn't enable ssh.socket, but ssh.service, which sets up the symlink)

description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

oh, I'm blind... so adding the mapping for both should be alright then

Revision history for this message
Martin Pitt (pitti) wrote :

Yeah, I could live with that -- but TBH I still consider this mostly a bug in openssh. querying the status of sshd.service really should work. Arch, RHEL, Fedora, OpenSUSE etc. all call this sshd.service.

Timo Aaltonen (tjaalton)
Changed in openssh (Ubuntu):
status: New → Confirmed
status: Confirmed → Triaged
Changed in freeipa (Ubuntu):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freeipa - 4.11.1-2

---------------
freeipa (4.11.1-2) unstable; urgency=medium

  * use-raw-strings.diff: Import patch from upstream to fix noise when
    installing. (LP: #2060298)
  * map-ssh-service.diff: Map sshd service to use ssh.service. (LP:
    #2061055)

 -- Timo Aaltonen <email address hidden> Fri, 12 Apr 2024 14:31:35 +0300

Changed in freeipa (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.