Ubuntu
openssh package

openssh-server install does not create privilege separation user sshd

Bug #227592 reported by David Munro
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

When I installed the openssh-server package on 8.04, it did not create the sshd privilege separation user, which causes the /etc/init.d/ssh script to fail to start sshd at boot time.

The problem turns out to be in the openssh-server.postinst post install script. This script looks for the presence of user sshd, and does not run adduser if it already exists. However, I had installed NIS, and my NIS server had an sshd account; therefore the postinst script did not add a local sshd user. At reboot, the order of the scripts in /etc/rc2.d is to first run the ssh script, then run the nis script. Since nis has not started when ssh runs, there is no user sshd, and the ssh script fails with a message like, "Privilege separation user sshd does not exist." At install time, however, the NIS server was running, so sshd started (apparently the remote sshd account is good enough) and no error was reported.

When I ran the adduser line in openssh-server.postinst by hand, the problem at boot time goes away, and sshd starts correctly at the next boot.

I believe the correct fix is to grep for the sshd user in /etc/passwd in the postinst script, and run adduser to create a local user if it is not found, rather than using getent to detect the presence of sshd. (Apparently getent will find an NIS account, which you don't want.) It makes no sense for the sshd user to be on a remote NIS server; it should always be a local account.

Revision history for this message
Colin Watson (cjwatson) wrote :

Well, I agree on the general nature of the problem. However, the NIS server will presumably be up when the package is being configured, and won't adduser fail if the user already exists on a NIS server?

Changed in openssh:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Miguel Di Ciurcio Filho (miguel.filho) wrote :

I have the same problem.

adduser will fail but it will not report it. Digging into the scripts I've found this in /var/lib/dpkg/info/openssh-server.postinst:

setup_sshd_user() {
        if ! getent passwd sshd >/dev/null; then
                adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
        fi
}

When NIS is running, I manually ran the adduser command above and no error is printed out nor an error status is returned, $? is zero. Changing the command and removing the --quiet parameter:

friends:~# adduser --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
The system user `sshd' already exists. Exiting.
friends:~# echo $?
0

So I had to stop NIS and then run adduser again.
friends:~# adduser --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
Adding system user `sshd' (UID 111) ...
Adding new user `sshd' (UID 111) with group `nogroup' ...
Not creating home directory `/var/run/sshd'.

Revision history for this message
Tomas Van Verrewegen (tomasvanverrewegen) wrote :

Just did a clean install of KUbuntu Karmic, and apparently the problem still exist here...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.