Hi Henk, I'm cc'ing this to suse-security because I'm getting a bunch of mails on this issue. On Wed, Jun 26, 2002 at 09:01:00AM +0200, Henk Vosmeijer wrote:
As you wrote below I have upgraded openssh with the YAST2 tool. But when starting sshd again I get: Starting SSH deamonPrivilege separation user sshd does not exist startproc: exit status of parent of /usr/sbin/sshd: 255
The most likely reason you're seeing this message is that you did not stop the nscd daemon prior to upgrading. The reason you need to do this is this: In the post-install script inside the RPM, a new group and user are created, both named sshd. This happens by calling groupadd sshd useradd -g sshd sshd (You can see the full script if you do rpm -q --script openssh). However, 15 minutes before releasing the RPMs someone alerted me that there's a bug in the groupadd tool; after adding a new group to /etc/group, it should tell nscd to throw away all cached group information, but it doesn't. So when useradd gets called, it tries to look up the group sshd (specified by the -g switch), and fails because nscd still has the old information. Note that this bug does not happen all the time; it hapends randomly, which is why it wasn't detected by our testing. This is why the Advisory recommends turning off nscd. Finally :) here's what you should do to fix your openssh install. Execute the following commands as root, and restart your sshd. install -m 755 -o root -g root -d /var/empty install -m 755 -o root -g root -d /var/lib/sshd groupadd -g 65 sshd useradd -u 71 -g sshd -s /bin/false -d /var/lib/sshd sshd This is the relevant part of the postinstall script that sets up the privilege separation user, and the chroot jail directory /var/empty. Cheers, Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann