From 365b5490f3b12772ed57a6bcfd1e0e8a91185afc Mon Sep 17 00:00:00 2001 From: Rasmus Villemoes Date: Wed, 17 Apr 2024 13:45:20 +0200 Subject: [PATCH] openssh: add After dependencies on nss-user-lookup.target Quoting 'man systemd.special': nss-user-lookup.target A target that should be used as synchronization point for all regular UNIX user/group name service lookups. [...] All services for which the availability of the full user/group database is essential should be ordered after this target, but not pull it in. All services which provide parts of the user/group database should be ordered before this target, and pull it in. When no service providing parts of the user/group database exists and thus pulls in the nss-user-lookup.target, this added dependency is a no-op. However, when such a service does exist, and e.g. modifies /etc/shadow to change password or enable/disable certain accounts, it is essential that no ssh connections are accepted until those changes are made. Signed-off-by: Rasmus Villemoes Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie --- meta/recipes-connectivity/openssh/openssh/sshd.service | 1 + meta/recipes-connectivity/openssh/openssh/sshd.socket | 1 + 2 files changed, 2 insertions(+) diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service index 2a997b656ac..3e570ab1e5b 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd.service +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service @@ -2,6 +2,7 @@ Description=OpenSSH server daemon Wants=sshdgenkeys.service After=sshdgenkeys.service +After=nss-user-lookup.target [Service] Environment="SSHD_OPTS=" diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket index 8d76d623097..7dd2ed0626a 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd.socket +++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket @@ -1,6 +1,7 @@ [Unit] Conflicts=sshd.service Wants=sshdgenkeys.service +After=nss-user-lookup.target [Socket] ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd -- 2.47.3