Package: openssh-server Version: 1:8.9p1-3ubuntu0.6 Severity: normal Dear Maintainer,
According to systemd.special(7) nss-user-lookup.target A target that should be used as synchronization point for all regular UNIX user/group name service lookups. [...] All services for which the availability of the full user/group database is essential should be ordered after this target, but not pull it in. All services which provide parts of the user/group database should be ordered before this target, and pull it in. I have a custom .service that does exactly as described in the second part, i.e. provides part of the user/group database and says Before=nss-user-lookup.target, Wants=nss-user-lookup.target (concretely, it modifies /etc/shadow to update a default password, but that's not really important). I believe sshd definitely belongs in the former category, i.e. sshd should not be started until any such service that updates the user/group database, such as updating /etc/shadow, have run. Hence the ssh.service and ssh.socket files should add After=nss-user-lookup.target in their [Unit] sections. This is a no-op on systems that do not have any service pulling in that target, but required for correctness on systems that do. Of course, I could, and currently do, handle this via a drop-in config fragment in some ssh.service.d/ directory. But this, and other similar synchronization targets, exist so that one does not necessarily need to know about every other service running on the system. -- System Information: Debian Release: bookworm/sid APT prefers jammy-updates APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.136-00006-g3d6db53ae88c (SMP w/8 CPU threads) Kernel taint flags: TAINT_WARN Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssh-server depends on: ii adduser 3.118ubuntu5 ii debconf [debconf-2.0] 1.5.79ubuntu1 ii dpkg 1.21.1ubuntu2.3 ii init-system-helpers 1.62 ii libaudit1 1:3.0.7-1build1 ii libc6 2.35-0ubuntu3.6 ii libcom-err2 1.46.5-2ubuntu1.1 ii libcrypt1 1:4.4.27-1 ii libgssapi-krb5-2 1.19.2-2ubuntu0.3 ii libkrb5-3 1.19.2-2ubuntu0.3 ii libpam-modules 1.4.0-11ubuntu2.4 ii libpam-runtime 1.4.0-11ubuntu2.4 ii libpam0g 1.4.0-11ubuntu2.4 ii libselinux1 3.3-1build2 ii libssl3 3.0.2-0ubuntu1.15 ii libsystemd0 249.11-0ubuntu3.12 ii libwrap0 7.6.q-31build2 ii lsb-base 11.1.0ubuntu4 ii openssh-client 1:8.9p1-3ubuntu0.6 ii openssh-sftp-server 1:8.9p1-3ubuntu0.6 ii procps 2:3.3.17-6ubuntu2.1 ii ucf 3.0043 ii zlib1g 1:1.2.11.dfsg-2ubuntu9.2 Versions of packages openssh-server recommends: ii libpam-systemd [logind] 249.11-0ubuntu3.12 ii ncurses-term 6.3-2ubuntu0.1 ii ssh-import-id 5.11-0ubuntu1 ii xauth 1:1.1-1build2 Versions of packages openssh-server suggests: pn molly-guard <none> pn monkeysphere <none> ii ssh-askpass 1:1.2.4.1-13 ii ssh-askpass-fullscreen [ssh-askpass] 0.3-3.1build2 ii ssh-askpass-gnome [ssh-askpass] 1:8.9p1-3ubuntu0.6 ii ufw 0.36.1-4ubuntu0.1 -- debconf information excluded