Your message dated Thu, 16 May 2024 11:04:01 +0000 with message-id <e1s7yu1-001dza...@fasolo.debian.org> and subject line Bug#1069706: fixed in openssh 1:9.7p1-5 has caused the Debian Bug report #1069706, regarding systemd unit files lack ordering wrt nss-user-lookup.target to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1069706: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069706 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: openssh-server Version: 1:8.9p1-3ubuntu0.6 Severity: normal Dear Maintainer, According to systemd.special(7) nss-user-lookup.target A target that should be used as synchronization point for all regular UNIX user/group name service lookups. [...] All services for which the availability of the full user/group database is essential should be ordered after this target, but not pull it in. All services which provide parts of the user/group database should be ordered before this target, and pull it in. I have a custom .service that does exactly as described in the second part, i.e. provides part of the user/group database and says Before=nss-user-lookup.target, Wants=nss-user-lookup.target (concretely, it modifies /etc/shadow to update a default password, but that's not really important). I believe sshd definitely belongs in the former category, i.e. sshd should not be started until any such service that updates the user/group database, such as updating /etc/shadow, have run. Hence the ssh.service and ssh.socket files should add After=nss-user-lookup.target in their [Unit] sections. This is a no-op on systems that do not have any service pulling in that target, but required for correctness on systems that do. Of course, I could, and currently do, handle this via a drop-in config fragment in some ssh.service.d/ directory. But this, and other similar synchronization targets, exist so that one does not necessarily need to know about every other service running on the system. -- System Information: Debian Release: bookworm/sid APT prefers jammy-updates APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.136-00006-g3d6db53ae88c (SMP w/8 CPU threads) Kernel taint flags: TAINT_WARN Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssh-server depends on: ii adduser 3.118ubuntu5 ii debconf [debconf-2.0] 1.5.79ubuntu1 ii dpkg 1.21.1ubuntu2.3 ii init-system-helpers 1.62 ii libaudit1 1:3.0.7-1build1 ii libc6 2.35-0ubuntu3.6 ii libcom-err2 1.46.5-2ubuntu1.1 ii libcrypt1 1:4.4.27-1 ii libgssapi-krb5-2 1.19.2-2ubuntu0.3 ii libkrb5-3 1.19.2-2ubuntu0.3 ii libpam-modules 1.4.0-11ubuntu2.4 ii libpam-runtime 1.4.0-11ubuntu2.4 ii libpam0g 1.4.0-11ubuntu2.4 ii libselinux1 3.3-1build2 ii libssl3 3.0.2-0ubuntu1.15 ii libsystemd0 249.11-0ubuntu3.12 ii libwrap0 7.6.q-31build2 ii lsb-base 11.1.0ubuntu4 ii openssh-client 1:8.9p1-3ubuntu0.6 ii openssh-sftp-server 1:8.9p1-3ubuntu0.6 ii procps 2:3.3.17-6ubuntu2.1 ii ucf 3.0043 ii zlib1g 1:1.2.11.dfsg-2ubuntu9.2 Versions of packages openssh-server recommends: ii libpam-systemd [logind] 249.11-0ubuntu3.12 ii ncurses-term 6.3-2ubuntu0.1 ii ssh-import-id 5.11-0ubuntu1 ii xauth 1:1.1-1build2 Versions of packages openssh-server suggests: pn molly-guard <none> pn monkeysphere <none> ii ssh-askpass 1:1.2.4.1-13 ii ssh-askpass-fullscreen [ssh-askpass] 0.3-3.1build2 ii ssh-askpass-gnome [ssh-askpass] 1:8.9p1-3ubuntu0.6 ii ufw 0.36.1-4ubuntu0.1 -- debconf information excluded
--- End Message ---
--- Begin Message ---Source: openssh Source-Version: 1:9.7p1-5 Done: Colin Watson <cjwat...@debian.org> We believe that the bug you reported is fixed in the latest version of openssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1069...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <cjwat...@debian.org> (supplier of updated openssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 16 May 2024 11:16:30 +0100 Source: openssh Architecture: source Version: 1:9.7p1-5 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwat...@debian.org> Closes: 1069706 1070725 Changes: openssh (1:9.7p1-5) unstable; urgency=medium . [ Colin Watson ] * Add "After=nss-user-lookup.target" to ssh.service and sshd@.service (closes: #1069706). * Avoid cleanup of /tmp/sshauth.*, created by sshd if ExposeAuthInfo is set. . [ Andreas Hasenack ] * Add autopkgtests for GSSAPI logins, including gssapi-keyex. . [ Luca Boccassi ] * Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/ (closes: #1070725). * Only set PAM_RHOST if the remote host is not "UNKNOWN" (thanks, Daan De Meyer). Checksums-Sha1: be24ffe4f8a0d8d689f1f8fc2ea336f0b2db14ee 3313 openssh_9.7p1-5.dsc 7e34d48c8d3c3832d83d8df68db26f86d3b61303 193864 openssh_9.7p1-5.debian.tar.xz Checksums-Sha256: 87dce7f64803d2586880b8099b4a4fea47482229fe2aae7293784ed92cf35cc2 3313 openssh_9.7p1-5.dsc 7b5b464c12ae0a54cd77c211d7accf06d3059186fc3a1e116af82c91becc511e 193864 openssh_9.7p1-5.debian.tar.xz Files: 057106f0a6a447ac6fd04556ad6e93ec 3313 net standard openssh_9.7p1-5.dsc d4a2766632fe52649823872860802154 193864 net standard openssh_9.7p1-5.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmZF3TQACgkQOTWH2X2G UAuAghAAokaNB45ZFICeVAxNUskF1tnvqf8/TyyZrvNNjmQ7Q1d2yY+IIQtemPsH Nz7Jq/wJDWLL7KPIprJk+rWVSo2NhWwTMTwt6r6vSat57b4gul/XhqXoZOAbG3b5 R4F/EN/SvVuZBLeIHFZSpBnPB8TTxVY9kPV//IEykVxlBLDpac/jjyEuV+amw4/7 aCVewb54yFC0m6M4gQFJZ+Qq8BwzPE4zrawlq2bE/UIl2pZ8snXf7ai/uFh4DKG5 BkYCfaI9vciPGJN8LuVQkaGpxJdMNKq4NKgDpI+V05bbO4vGXz7TNrbgA8aP9gxK NISuutjpUjBaakpAhX3cLz1PJxOUUb/vb8f3k8FKftfBGIXqryMQ9Sf7h1CyPN7Y OeOoM5+c6UD3kploDRsJaDnUinaeRulkSJQr9o79bRL28ddUk7VbMnGkzijutKUO Todc2SW00p2k0n/wuXg023kOeKEHKWM2RdBAO7YrsiiIXBVhnWFSpt6i/+z/Y9q2 gUQP/kg+3ef/3zo+vPZB8blEORyn5S/88kqcmHx46plx27+lWXlyO4HwGIlwsAxI zOG+tu68r+7CJ06Q/W3hEL8xy7D3cJ6zZx9LmpUGw61Y89NVzUHL3sun9Ynr7LoF HOMFKydLDxK5vbgD7Eku/WnLeAmHtz2SewDGZmTAM1CNyUB3bSU= =siDZ -----END PGP SIGNATURE-----pgpesa_tzj1yh.pgp
Description: PGP signature
--- End Message ---