#3510 PR merged: Copy a sshd helper to the rescue ramdisk¶
Labels: ready-to-merge?
pcahyna opened issue at 2025-08-15 19:31:¶
Relax-and-Recover (ReaR) Pull Request Template¶
Please fill in the following items before submitting a new pull request:
Pull Request Details:¶
-
Type: Bug Fix
-
Impact: Critical
-
Reference to related issue (URL):
-
How was this pull request tested?
ssh to the rescue system on EL10. -
Description of the changes in this pull request:
Copy the sshd-session sshd helper to the rescue ramdisk. Without the helper, sshd in the rescue ramdisk does not start on EL 10 and aborts with "/usr/libexec/openssh/sshd-session does not exist or is not executable".
The idea is very similar to the sftp-server part of the script, but the implementation is deliberately different:- Instead of grepping a fixed known configuration file, the output
of sshd -T is used. sshd -T prints the effective configuration
on stdout. This way one does not need to know the path to the
ssh configuration file, while avoiding possible issues like the
one described in
https://github.com/rear/rear/pull/1538#issuecomment-337883867
and one also gets automatic support for more complicated setups
with configuration snippets like on Debian, see its
sshd_config(5) manual page:
"Note that the Debian openssh-server package sets several options as stan-
dard in /etc/ssh/sshd_config which are not the default in sshd(8):- Include /etc/ssh/sshd_config.d/*.conf
..."
At the same time, the command takes care of removing comments and assigning default values (one would not get them by grepping the configuration file).
- Include /etc/ssh/sshd_config.d/*.conf
- awk is used instead of grep, allowing to match the precise value of a configuration option and not just the prefix, and to not rely on the shell to parse the output into fields.
- The path to the helper gets added to
COPY_AS_ISinstead of toPROGS. The problem withPROGSis that it ignores the path (even if the program gets specified by its absolute path) and copies the program to/usr/bin- but sshd need the helper at exactly the same path as on the original system, as it invokes the helper via its full path (not$PATH). This behavior ofPROGSis arguably something that should be changed andPROGSshould use an absolute path as target if provided. For now, useCOPY_AS_ISas a workaround.
- Instead of grepping a fixed known configuration file, the output
of sshd -T is used. sshd -T prints the effective configuration
on stdout. This way one does not need to know the path to the
ssh configuration file, while avoiding possible issues like the
one described in
https://github.com/rear/rear/pull/1538#issuecomment-337883867
and one also gets automatic support for more complicated setups
with configuration snippets like on Debian, see its
sshd_config(5) manual page:
(The sftp-server part would of course benefit from the same changes, as the arguments above apply to it equally. In particular, the last point looks fatal, as the sftp-server gets also copied to /usr/bin instead to its correct path, but sshd refers to it by its full path. Indeed, sftp to the rescue system does not work, even if ssh does:
$ sftp root@...
Warning: Permanently added ... to the list of known hosts.
Connection closed.
Connection closed
Similar code has been here since the beginning of the git history (2009), so I wonder whether the sftp part has ever worked... )
gdha commented at 2025-08-16 14:58:¶
@pcahyna The code updates look good to me.
pcahyna commented at 2025-08-18 08:55:¶
I pushed a trivial change to the commit message, no code changes.
lzaoral commented at 2025-08-20 15:40:¶
Thanks a lot, @pcahyna! Unfortunately, I've just found out that OpenSSH
on Fedora Rawhide depends on even another binary:
/usr/libexec/openssh/sshd-auth. If it's missing, sshd will fail with
a similar error message:
# /bin/sshd -D
/usr/libexec/openssh/sshd-auth does not exist or is not executable
Fedora 42 is ok, though.
pcahyna commented at 2025-08-20 16:23:¶
Thanks a lot, @pcahyna! Unfortunately, I've just found out that OpenSSH on Fedora Rawhide depends on even another binary:
/usr/libexec/openssh/sshd-auth. If it's missing,sshdwill fail with a similar error message:# /bin/sshd -D /usr/libexec/openssh/sshd-auth does not exist or is not executableFedora 42 is ok, though.
Thanks for the observation - the corresponding parameter is called
SshdAuthPath:
# sshd -T | grep sshd-auth
sshdauthpath /usr/libexec/openssh/sshd-auth
perhaps we should copy all the files referenced by parameters whose
names end with path :
# sshd -T | grep path
sshdsessionpath /usr/libexec/openssh/sshd-session
sshdauthpath /usr/libexec/openssh/sshd-auth
Of course there is no guarantee that such helpers will follow the same pattern in the future.
[Export of Github issue for rear/rear.]