[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1069706: marked as done (systemd unit files lack ordering wrt nss-user-lookup.target)

Your message dated Thu, 16 May 2024 11:04:01 +0000
with message-id <E1s7Yu1-001DzA-A3@fasolo.debian.org>
and subject line Bug#1069706: fixed in openssh 1:9.7p1-5
has caused the Debian Bug report #1069706,
regarding systemd unit files lack ordering wrt nss-user-lookup.target
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1069706: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069706
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-server
Version: 1:8.9p1-3ubuntu0.6
Severity: normal

Dear Maintainer,

According to systemd.special(7)

    nss-user-lookup.target

        A target that should be used as synchronization point for all
        regular UNIX user/group name service lookups. [...] All
        services for which the availability of the full user/group
        database is essential should be ordered after this target, but
        not pull it in. All services which provide parts of the
        user/group database should be ordered before this target, and
        pull it in.

I have a custom .service that does exactly as described in the second
part, i.e. provides part of the user/group database and says
Before=nss-user-lookup.target, Wants=nss-user-lookup.target
(concretely, it modifies /etc/shadow to update a default password, but
that's not really important). I believe sshd definitely belongs in the
former category, i.e. sshd should not be started until any such
service that updates the user/group database, such as updating
/etc/shadow, have run.

Hence the ssh.service and ssh.socket files should add

After=nss-user-lookup.target

in their [Unit] sections. This is a no-op on systems that do not have
any service pulling in that target, but required for correctness on
systems that do.

Of course, I could, and currently do, handle this via a drop-in config
fragment in some ssh.service.d/ directory. But this, and other similar
synchronization targets, exist so that one does not necessarily need
to know about every other service running on the system.


-- System Information:
Debian Release: bookworm/sid
  APT prefers jammy-updates
  APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500,
'jammy'), (100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.136-00006-g3d6db53ae88c (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.118ubuntu5
ii  debconf [debconf-2.0]  1.5.79ubuntu1
ii  dpkg                   1.21.1ubuntu2.3
ii  init-system-helpers    1.62
ii  libaudit1              1:3.0.7-1build1
ii  libc6                  2.35-0ubuntu3.6
ii  libcom-err2            1.46.5-2ubuntu1.1
ii  libcrypt1              1:4.4.27-1
ii  libgssapi-krb5-2       1.19.2-2ubuntu0.3
ii  libkrb5-3              1.19.2-2ubuntu0.3
ii  libpam-modules         1.4.0-11ubuntu2.4
ii  libpam-runtime         1.4.0-11ubuntu2.4
ii  libpam0g               1.4.0-11ubuntu2.4
ii  libselinux1            3.3-1build2
ii  libssl3                3.0.2-0ubuntu1.15
ii  libsystemd0            249.11-0ubuntu3.12
ii  libwrap0               7.6.q-31build2
ii  lsb-base               11.1.0ubuntu4
ii  openssh-client         1:8.9p1-3ubuntu0.6
ii  openssh-sftp-server    1:8.9p1-3ubuntu0.6
ii  procps                 2:3.3.17-6ubuntu2.1
ii  ucf                    3.0043
ii  zlib1g                 1:1.2.11.dfsg-2ubuntu9.2

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  249.11-0ubuntu3.12
ii  ncurses-term             6.3-2ubuntu0.1
ii  ssh-import-id            5.11-0ubuntu1
ii  xauth                    1:1.1-1build2

Versions of packages openssh-server suggests:
pn  molly-guard                           <none>
pn  monkeysphere                          <none>
ii  ssh-askpass                           1:1.2.4.1-13
ii  ssh-askpass-fullscreen [ssh-askpass]  0.3-3.1build2
ii  ssh-askpass-gnome [ssh-askpass]       1:8.9p1-3ubuntu0.6
ii  ufw                                   0.36.1-4ubuntu0.1

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:9.7p1-5
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1069706@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 16 May 2024 11:16:30 +0100
Source: openssh
Architecture: source
Version: 1:9.7p1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1069706 1070725
Changes:
 openssh (1:9.7p1-5) unstable; urgency=medium
 .
   [ Colin Watson ]
   * Add "After=nss-user-lookup.target" to ssh.service and sshd@.service
     (closes: #1069706).
   * Avoid cleanup of /tmp/sshauth.*, created by sshd if ExposeAuthInfo is
     set.
 .
   [ Andreas Hasenack ]
   * Add autopkgtests for GSSAPI logins, including gssapi-keyex.
 .
   [ Luca Boccassi ]
   * Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/
     (closes: #1070725).
   * Only set PAM_RHOST if the remote host is not "UNKNOWN" (thanks, Daan De
     Meyer).
Checksums-Sha1:
 be24ffe4f8a0d8d689f1f8fc2ea336f0b2db14ee 3313 openssh_9.7p1-5.dsc
 7e34d48c8d3c3832d83d8df68db26f86d3b61303 193864 openssh_9.7p1-5.debian.tar.xz
Checksums-Sha256:
 87dce7f64803d2586880b8099b4a4fea47482229fe2aae7293784ed92cf35cc2 3313 openssh_9.7p1-5.dsc
 7b5b464c12ae0a54cd77c211d7accf06d3059186fc3a1e116af82c91becc511e 193864 openssh_9.7p1-5.debian.tar.xz
Files:
 057106f0a6a447ac6fd04556ad6e93ec 3313 net standard openssh_9.7p1-5.dsc
 d4a2766632fe52649823872860802154 193864 net standard openssh_9.7p1-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmZF3TQACgkQOTWH2X2G
UAuAghAAokaNB45ZFICeVAxNUskF1tnvqf8/TyyZrvNNjmQ7Q1d2yY+IIQtemPsH
Nz7Jq/wJDWLL7KPIprJk+rWVSo2NhWwTMTwt6r6vSat57b4gul/XhqXoZOAbG3b5
R4F/EN/SvVuZBLeIHFZSpBnPB8TTxVY9kPV//IEykVxlBLDpac/jjyEuV+amw4/7
aCVewb54yFC0m6M4gQFJZ+Qq8BwzPE4zrawlq2bE/UIl2pZ8snXf7ai/uFh4DKG5
BkYCfaI9vciPGJN8LuVQkaGpxJdMNKq4NKgDpI+V05bbO4vGXz7TNrbgA8aP9gxK
NISuutjpUjBaakpAhX3cLz1PJxOUUb/vb8f3k8FKftfBGIXqryMQ9Sf7h1CyPN7Y
OeOoM5+c6UD3kploDRsJaDnUinaeRulkSJQr9o79bRL28ddUk7VbMnGkzijutKUO
Todc2SW00p2k0n/wuXg023kOeKEHKWM2RdBAO7YrsiiIXBVhnWFSpt6i/+z/Y9q2
gUQP/kg+3ef/3zo+vPZB8blEORyn5S/88kqcmHx46plx27+lWXlyO4HwGIlwsAxI
zOG+tu68r+7CJ06Q/W3hEL8xy7D3cJ6zZx9LmpUGw61Y89NVzUHL3sun9Ynr7LoF
HOMFKydLDxK5vbgD7Eku/WnLeAmHtz2SewDGZmTAM1CNyUB3bSU=
=siDZ
-----END PGP SIGNATURE-----

Attachment: pgpKu6XdeDXeF.pgp
Description: PGP signature


--- End Message ---
Reply to: