My personal FreeIPA server is quite old; it was initially deployed as Fedora 19. I recently upgraded it from Fedora 26 to Fedora 27, and after doing so, sshd would not start. It logged an error: sshd[1551]: AuthorizedKeysCommand set without AuthorizedKeysCommandUser.
sshd[1551]: AuthorizedKeysCommand set without AuthorizedKeysCommandUser
I think before ddd8988 , FreeIPA install didn't write AuthorizedKeysCommandUser into the config file, and now sshd requires it to be explicitly set, it will not use a default value any more. It seems like that commit tried to add something to the spec file that's intended to add the line for older installs, but for whatever reason, this has not worked on my system at any time when the package has been updated, and that line has never been added to my sshd_config...
AuthorizedKeysCommandUser
sshd_config
Hi,
there are situations where the script would not add the AuthorizedKeysCommandUser line into the config file. Can you run the following commands as root and provide their return code (obtained with echo $? after each command)?
/usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null
First command gives 0, second and third give 1. This is after I edited my config file back to how it was when sshd failed to run, before I added AuthorizedKeysCommandUser to the file manually.
Thank you for your answer. The response codes are what I would expect on your fedora 26/27 system. Another thing that could help me troubleshoot is the content of /var/lib/ipa-client/sysrestore/sysrestore.index and /etc/ssh/sshd_config before the upgrade. Depending on the content, the %triggerin script may skip writing AuthorizedKeysCommandUser.
@adamwill can you provide the requested files to aid in troubleshooting?
It's actually kind of hard because, well, I've upgraded. I don't have the contents of the files before the upgrade any more. I don't back up my FreeIPA server because the FreeIPA docs specifically say that it's better to have replicas than backups...
Sure. IIRC typically a client config is not updated post-install at all (a master is also a client).
This sort of thing may fall under the idempotent client installer we have in mind.
I wonder if this should be closed/merged into https://pagure.io/freeipa/issue/6103
Send mail to openssh-owner to see if they can manage updating this. It could affect more than just IPA client machines.
Near as we can tell this affected versions of IPA installed between FreeIPA 3.1.0 and 3.2.0.
Fedora 18 was released on Jan 15th 2013, so I think we've got affected in Fedora 18/19 releases but not after that.
Given the age, the fact that this is the first time reported and the reasonable error message being reported we are going to close this as wontfix.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.