Currently, OpenSSH init script have stop_pre and start_pre functions that trigger host keys generation via checkconfig function if the keys are not there. This is the usual case when OpenSSH is started for the very first time on newly installed system. Inside there's a check to not run checkconfig if the $RC_CMD is `restart`. The comment explain the reason behind it as if we do restart, it means it was already started and checkconfig is executed on the stop phase. However, this is not the case when we use `/etc/init.d/sshd restart` as the way to start ssh, which I think should be fine even is the service is not started, or, I always assumed is as the universal logic to start it, or restart it if it was already running. Although user can manually run the init script with `start` argument and it will just work, here I got into issues related to this because I use configuration as a code, which does all kind of low level system configuration for me on newly installed systems. One of them is to trigger the `/etc/init.d/sshd restart` if `/etc/ssh/sshd_config` was changed, and there's no additional logic there to check the rc-status before, simple `ensure: restarted` via Ansible. I'd like to propose either remove the stop_pre function and run the check always on the start_pre, even if $RC_CMD is `restart`, but the drawback would be no configuration check on stopping, or take the gneeration of host keys out of checkconfig function and running it inside start_pre always, outside of the block that check for $RC_CMD. How does that sound? Reproducible: Always
Removing stop_pre is _not_ an option because you never ever want to stop sshd if you know it cannot come back (think about remote machines), so moving > ${SSHD_KEYGEN_BINARY} -A || return 2 out of checkconfig is the only option left. But we would have to call this all the time before we call checkconfig (sshd -t) because if config will reference a host key not yet existing when we validate config, check would fail. So I think if we want to address the problem we should just remove > if [ "${RC_CMD}" != "restart" ] ; then in start_pre and always call checkconfig when starting.
*** Bug 679588 has been marked as a duplicate of this bug. ***
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=057cc59d64ede3c1b8a4a42ad003fb5cc7ef1d3b commit 057cc59d64ede3c1b8a4a42ad003fb5cc7ef1d3b Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-03-06 23:55:08 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-03-06 23:55:56 +0000 net-misc/openssh: always call checkconfig to trigger key generation Closes: https://bugs.gentoo.org/675922 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-misc/openssh/files/sshd-r1.initd | 87 +++++++++++++++++++++++++++++++ net-misc/openssh/openssh-7.9_p1-r4.ebuild | 2 +- 2 files changed, 88 insertions(+), 1 deletion(-)
