Bug#1069706: systemd unit files lack ordering wrt nss-user-lookup.target
Package: openssh-server
Version: 1:8.9p1-3ubuntu0.6
Severity: normal
Dear Maintainer,
According to systemd.special(7)
nss-user-lookup.target
A target that should be used as synchronization point for all
regular UNIX user/group name service lookups. [...] All
services for which the availability of the full user/group
database is essential should be ordered after this target, but
not pull it in. All services which provide parts of the
user/group database should be ordered before this target, and
pull it in.
I have a custom .service that does exactly as described in the second
part, i.e. provides part of the user/group database and says
Before=nss-user-lookup.target, Wants=nss-user-lookup.target
(concretely, it modifies /etc/shadow to update a default password, but
that's not really important). I believe sshd definitely belongs in the
former category, i.e. sshd should not be started until any such
service that updates the user/group database, such as updating
/etc/shadow, have run.
Hence the ssh.service and ssh.socket files should add
After=nss-user-lookup.target
in their [Unit] sections. This is a no-op on systems that do not have
any service pulling in that target, but required for correctness on
systems that do.
Of course, I could, and currently do, handle this via a drop-in config
fragment in some ssh.service.d/ directory. But this, and other similar
synchronization targets, exist so that one does not necessarily need
to know about every other service running on the system.
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy-updates
APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500,
'jammy'), (100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.136-00006-g3d6db53ae88c (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.118ubuntu5
ii debconf [debconf-2.0] 1.5.79ubuntu1
ii dpkg 1.21.1ubuntu2.3
ii init-system-helpers 1.62
ii libaudit1 1:3.0.7-1build1
ii libc6 2.35-0ubuntu3.6
ii libcom-err2 1.46.5-2ubuntu1.1
ii libcrypt1 1:4.4.27-1
ii libgssapi-krb5-2 1.19.2-2ubuntu0.3
ii libkrb5-3 1.19.2-2ubuntu0.3
ii libpam-modules 1.4.0-11ubuntu2.4
ii libpam-runtime 1.4.0-11ubuntu2.4
ii libpam0g 1.4.0-11ubuntu2.4
ii libselinux1 3.3-1build2
ii libssl3 3.0.2-0ubuntu1.15
ii libsystemd0 249.11-0ubuntu3.12
ii libwrap0 7.6.q-31build2
ii lsb-base 11.1.0ubuntu4
ii openssh-client 1:8.9p1-3ubuntu0.6
ii openssh-sftp-server 1:8.9p1-3ubuntu0.6
ii procps 2:3.3.17-6ubuntu2.1
ii ucf 3.0043
ii zlib1g 1:1.2.11.dfsg-2ubuntu9.2
Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 249.11-0ubuntu3.12
ii ncurses-term 6.3-2ubuntu0.1
ii ssh-import-id 5.11-0ubuntu1
ii xauth 1:1.1-1build2
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
ii ssh-askpass 1:1.2.4.1-13
ii ssh-askpass-fullscreen [ssh-askpass] 0.3-3.1build2
ii ssh-askpass-gnome [ssh-askpass] 1:8.9p1-3ubuntu0.6
ii ufw 0.36.1-4ubuntu0.1
-- debconf information excluded
Reply to: