[Bug 227592] [NEW] openssh-server install does not create privilege separation user sshd

[David Munro]

Public bug reported:

When I installed the openssh-server package on 8.04, it did not create
the sshd privilege separation user, which causes the /etc/init.d/ssh
script to fail to start sshd at boot time.

The problem turns out to be in the openssh-server.postinst post install
script.  This script looks for the presence of user sshd, and does not
run adduser if it already exists.  However, I had installed NIS, and my
NIS server had an sshd account; therefore the postinst script did not
add a local sshd user.  At reboot, the order of the scripts in
/etc/rc2.d is to first run the ssh script, then run the nis script.
Since nis has not started when ssh runs, there is no user sshd, and the
ssh script fails with a message like, "Privilege separation user sshd
does not exist."  At install time, however, the NIS server was running,
so sshd started (apparently the remote sshd account is good enough) and
no error was reported.

When I ran the adduser line in openssh-server.postinst by hand, the
problem at boot time goes away, and sshd starts correctly at the next
boot.

I believe the correct fix is to grep for the sshd user in /etc/passwd in
the postinst script, and run adduser to create a local user if it is not
found, rather than using getent to detect the presence of sshd.
(Apparently getent will find an NIS account, which you don't want.)  It
makes no sense for the sshd user to be on a remote NIS server; it should
always be a local account.

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
openssh-server install does not create privilege separation user sshd
https://bugs.launchpad.net/bugs/227592
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.