[Bug 1691826] Re: systemd script for sshd allows it to start too early should wait for authentication services...

Jonathan Gutow gutow at uwosh.edu
Fri May 19 14:00:24 UTC 2017 

1. I did not intend to set it up as cloud-init. I assumed it got flagged
because I tagged it with systemd-boot. Sorry if that messed things up.
I'm not even sure what packages cloud-init covers. If it is not
appropriate, it should be deleted.

2. The system this resides on is part of a cluster used for quantum
computations. It is usually isolated from the networks. With minimum
luck I will have time to transfer over the nss_ldap config and the
requested logs today. However, your last question suggests what is
probably the issue. I did not intentionally move sshd to ldap, but when
this problem occurred I found that that is where it now resides. I am
quite suspicious that is the actual problem. The other nodes on my
system have a local sshd user. They are still running 14.0.4 rather than
16.04. The node I am having issues with is not used for computations, so
gets used for initial upgrade testing.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1691826

Title:
  systemd script for sshd allows it to start too early should wait for
  authentication services...

Status in cloud-init package in Ubuntu:
  Incomplete
Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  After the most recent update to 16.04 I found that sshd failed to
  launch on bootup. On my particular system this is because it was not
  able to authenticate the user 'sshd'. It appears to be because it is
  starting before authentication services are completely available on my
  system. A simple fix was to make the following change to
  /lib/systemd/system/ssh.service:

  --After=network.target auditd.service
  ++After=network.target auditd.service accounts-daemon.service

  Starting too early might be a security issue, but I do not have the
  expertise to make that judgment. This may also be related to and solve
  this bug #1024475 as I am also serving some of my accounts from ldap.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1691826/+subscriptions

More information about the foundations-bugs mailing list