Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
freeipa (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
openssh (Ubuntu) |
Triaged
|
Undecided
|
Unassigned |
Bug Description
Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/
2024-04-
2024-04-
(in /var/log/
While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.
But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up:
# systemctl status sshd.service
Unit sshd.service could not be found.
So if ssh.service is already running, it never gets restarted by "ipa-client-
It would be really good to make that alias work by default -- if nothing else, just ship the symlink in the .deb, or create the symlink manually in the postinst?
freeipa-client 4.10.2-2ubuntu3
openssh-server 1:9.6p1-3ubuntu12
Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias:
https:/
We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this.
Changed in openssh (Ubuntu): | |
status: | New → Confirmed |
status: | Confirmed → Triaged |
Changed in freeipa (Ubuntu): | |
status: | New → In Progress |
well, there is a way to map service names from the default ones to what the platform has, so I'll add a mapping sshd->ssh.