From nobody@FreeBSD.org  Sun Oct 16 14:32:01 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A44801065724
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 16 Oct 2011 14:32:00 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 938248FC15
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 16 Oct 2011 14:32:00 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p9GEW0up094602
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 16 Oct 2011 14:32:00 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p9GEVxRg094601;
	Sun, 16 Oct 2011 14:31:59 GMT
	(envelope-from nobody)
Message-Id: <201110161431.p9GEVxRg094601@red.freebsd.org>
Date: Sun, 16 Oct 2011 14:31:59 GMT
From: John Blazek <freebsd.org@logicalsolutns.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: SSHD starts on boot even if  sshd_enable="NO" in 8.2
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         161710
>Category:       conf
>Synopsis:       SSHD starts on boot even if  sshd_enable="NO" in 8.2
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-rc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 16 14:40:07 UTC 2011
>Closed-Date:    Wed Oct 26 17:29:56 UTC 2011
>Last-Modified:  Sat Oct 29 00:10:14 UTC 2011
>Originator:     John Blazek
>Release:        8.2-RELEASE-p4
>Organization:
>Environment:
[root@kahlua]:[~]# uname -a
FreeBSD kahlua.logicalsolutns.com 8.2-RELEASE-p4 FreeBSD 8.2-RELEASE-p4 #7: Wed Oct  5 07:33:04 CDT 2011     root@kahlua.logicalsolutns.com:/usr/obj/usr/src/sys/KAHLUA  i386
[root@kahlua]:[~]#

>Description:
After upgrading from 7.3 to 8.2, I found errors in my /var/log/message
file indicating that inetd had a conflict.

(We run inetd to handle ssh on this machine).

After investigating I discovered that all of my 8.2 boxes are starting
SSHD even though /etc/rc.conf has sshd_enable="NO"

To diagnose the issue, I added sshd_flags="-p 9991" to rc.conf and rebooted

The system booted with sshd running on port 9991

[root@kahlua]:[/usr/src]# sockstat | grep sshd
root     sshd       37697 3  tcp6   *:9991                *:*
root     sshd       37697 4  tcp4   *:9991                *:*

I then ran the /usr/sbin/sshd command and sshd also started on port 2220
(which is what is set in /etc/ssh/sshd_config

[root@kahlua]:[/usr/src]# /usr/sbin/sshd
[root@kahlua]:[/usr/src]# sockstat | grep sshd
root     sshd       17757 3  tcp6   *:2220                *:*
root     sshd       37697 3  tcp6   *:9991                *:*
root     sshd       37697 4  tcp4   *:9991                *:*

(Note: inetd was running tcp4 on *:2220 per /etc/rc.conf and inetd.conf)

If I've done something wrong on my end, I don't know what it is.
It appears that this same issue is impacting all of my 8.2 boxes.
>How-To-Repeat:
[root@kahlua]:[~]# cat /etc/rc.conf | grep sshd
# sshd is controlleb by inetd
sshd_enable="NO"
sshd_flags="-p 9991"
[root@kahlua]:[~]#


/etc/ssh/sshd_config

#Port 22
Port 2220
#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::


ps axu | grep sshd
root  37697  0.0  0.8  6712  4036  ??  Is    9:08AM   0:00.00 /usr/sbin/sshd -p 9991

>Fix:


>Release-Note:
>Audit-Trail:
Date: Sun, 16 Oct 2011 15:50:40 GMT
From: John Blazek <freebsd.org@logicalsolutns.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: SSHD starts on boot even if  sshd_enable="NO" in 8.2
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

After tracking this down further, it appears to be directly related to
an entry in /etc/rc.local

/usr/sbin/sshd -p 22200


This entry is intended to start a separate instance of sshd for
administrator access.

When this entry is commented out with hash #, no sshd process starts.
When the hash is removed, sshd starts on both port 22200 and port 9991


*BOOTED WITH #/usr/sbin/sshd -p 22200  in rc.local
[root@kahlua]:[~]# cat /etc/rc.local
#/usr/sbin/sshd -p 22200
sysctl kern.securelevel=2



result: no sshd running. inetd listening on 2220

[root@kahlua]:[~]# sockstat | grep ssh
[root@kahlua]:[~]# sockstat | grep 2220
root     inetd      45432 5  tcp4   *:2220                *:*
[root@kahlua]:[~]#


Then manually executing the command starts sshd as expected:

[root@kahlua]:[~]# /usr/sbin/sshd -p 22200
[root@kahlua]:[~]# sockstat | grep ssh
root     sshd       56999 3  tcp6   *:22200               *:*
root     sshd       56999 4  tcp4   *:22200               *:*
[root@kahlua]:[~]#


*************************************************************************

Removed Hash from rc.local, to start copy of ssh on port 22200

[root@kahlua]:[~]# cat /etc/rc.local
/usr/sbin/sshd -p 22200
sysctl kern.securelevel=2
[root@kahlua]:[~]#


This resulted in an 'extra' copy of sshd starting (using the flag
-p 9991 from rc.conf)

[root@kahlua]:[~]# cat /etc/rc.conf | grep ssh
# sshd is controlleb by inetd
sshd_enable="NO"
sshd_flags="-p 9991"


[root@kahlua]:[~]# sockstat | grep ssh
root     sshd       33493 3  tcp6   *:9991                *:*
root     sshd       33493 4  tcp4   *:9991                *:*
root     sshd       7532  3  tcp6   *:22200               *:*
root     sshd       7532  4  tcp4   *:22200               *:*

[root@kahlua]:[~]# sockstat | grep 2220
root     inetd      49601 5  tcp4   *:2220                *:*
root     sshd       7532  3  tcp6   *:22200               *:*
root     sshd       7532  4  tcp4   *:22200               *:*
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Oct 16 22:39:03 UTC 2011 
Responsible-Changed-Why:  
reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=161710 
State-Changed-From-To: open->closed 
State-Changed-By: delphij 
State-Changed-When: Wed Oct 26 17:29:36 UTC 2011 
State-Changed-Why:  
Looks like a configuration error rather than bug. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=161710 

From: John Blazek <freebsd.org@logicalsolutns.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/161710: SSHD starts on boot even if  sshd_enable=
Date: Fri, 28 Oct 2011 13:48:20 -0500

 Hello,
 
 I respectfully request/suggest that you attempt to reproduce this, or contact me for a login to one of the servers that demonstrates this behavior.
 
 It appears you may have summarily dismissed this bug report simply on the basis of not liking inetd (based on your email suggestion to me privately).
 
 1) inetd does not start sshd as a LISTEN service. 
 2) inetd is not configured to listen on EITHER of the two ports that are involved with the SSHD processes that are started
 3) the double startup only occurs when sshd is invoked via /etc/rc.local on boot
 
 When the invocation is removed from rc.local "NO" instances of sshd are started.
 
 
 A) I don't have a closed mind. I'm more than willing to entertain that there is a configuration error.
 B) If it is a configuration error, then it is an error that behaved quite differently in prior versions of FreeBSD.
 
 The same configuration has been used on these servers for years.
 
 -john
 

From: Dimitry Andric <dim@FreeBSD.org>
To: bug-followup@FreeBSD.org, freebsd.org@logicalsolutns.com
Cc:  
Subject: Re: conf/161710: SSHD starts on boot even if  sshd_enable=&quot;NO&quot;
 in 8.2
Date: Fri, 28 Oct 2011 22:38:29 +0200

 I tried reproducing this on 8-STABLE, by:
 
 1) setting sshd_enable="NO" in /etc/rc.conf
 2) setting sshd_flags="-p 9991" in /etc/rc.conf
 3) adding '/usr/sbin/sshd -p 22200' to /etc/rc.local
 4) adding inetd_enable="YES" in /etc/rc.conf
 5) uncommenting the default ssh lines in /etc/inetd.conf
 
 End result, after rebooting, is:
 
 1) sshd is running as "/usr/sbin/sshd -p 22200", listening on port
     22200 as expected
 2) inetd is listening on port 22, as expected
 3) sshd is NOT started by /etc/rc.d/sshd.  In fact, if you run
     '/etc/rc.d/sshd start', you get the expected error message about sshd
     not being enabled.
 
 In short, I cannot reproduce your issue.  It could help if you post some
 more information, for example, what is the output of:
 
 /bin/sh -x /etc/rc.d/sshd start
 
 ?

From: John Blazek <freebsd.org@logicalsolutns.com>
To: Dimitry Andric <dim@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: conf/161710: SSHD starts on boot even if 
  sshd_enable=&quot;NO&quot; in 8.2
Date: Fri, 28 Oct 2011 16:28:41 -0500

 Hello,
 
 Thank you for attempting to reproduce it.
 
 I concur with your result 3b) If you try to type  /etc/rc.d/sshd start -= it wont start.
 
 The servers that are exhibiting this are currently production servers and I cannot conveniently reboot them on command.
 
 I will build a fresh box and see if I can duplicate it from scratch.
 
 You are welcome to TeamView or SSH/screen view one of the servers to examine the configuration.
 
 -john
 
 
 
 At 03:38 PM 10/28/2011, Dimitry Andric wrote:
 >I tried reproducing this on 8-STABLE, by:
 >
 >1) setting sshd_enable="NO" in /etc/rc.conf
 >2) setting sshd_flags="-p 9991" in /etc/rc.conf
 >3) adding '/usr/sbin/sshd -p 22200' to /etc/rc.local
 >4) adding inetd_enable="YES" in /etc/rc.conf
 >5) uncommenting the default ssh lines in /etc/inetd.conf
 >
 >End result, after rebooting, is:
 >
 >1) sshd is running as "/usr/sbin/sshd -p 22200", listening on port
 >   22200 as expected
 >2) inetd is listening on port 22, as expected
 >3) sshd is NOT started by /etc/rc.d/sshd.  In fact, if you run
 >   '/etc/rc.d/sshd start', you get the expected error message about sshd
 >   not being enabled.
 >
 >In short, I cannot reproduce your issue.  It could help if you post some
 >more information, for example, what is the output of:
 >
 >/bin/sh -x /etc/rc.d/sshd start
 >
 >?
 

From: Dimitry Andric <dim@FreeBSD.org>
To: bug-followup@FreeBSD.org, freebsd.org@logicalsolutns.com
Cc:  
Subject: Re: conf/161710: SSHD starts on boot even if  sshd_enable=&quot;NO&quot;
 in 8.2
Date: Sat, 29 Oct 2011 01:30:45 +0200

 This is a multi-part message in MIME format.
 --------------050401080107000606050906
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Aha, now I see the cause of the problem.  A similar case to yours was
 actually reported in conf/156427:
 
    http://www.freebsd.org/cgi/query-pr.cgi?pr=156427
 
 There is an issue in /etc/rc.subr, which was introduced accidentally in
 r206686, fixed in head in r220760, and later merged to stable/8 in
 r220958:
 
    http://svnweb.freebsd.org/base?view=revision&revision=220958
 
 but this was after 8.2 released, unfortunately.
 
 You should be able to fix it by applying just the diff to rc.subr, which
 I have attached for your convenience.
 
 --------------050401080107000606050906
 Content-Type: text/x-diff;
  name="pr156427.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
  filename="pr156427.diff"
 
 --- etc/rc.subr	2011/04/22 23:42:23	220957
 +++ etc/rc.subr	2011/04/22 23:44:25	220958
 @@ -651,7 +651,8 @@
  					#	checkyesno ${rcvar}
  					# and return if that failed
  					#
 -		if [ -n "${rcvar}" -a "$rc_arg" != "rcvar" -a -z "${rc_pid}" ]; then
 +		if [ -n "${rcvar}" -a "$rc_arg" != "rcvar" -a "$rc_arg" != "stop" ] ||
 +		    [ -n "${rcvar}" -a "$rc_arg" = "stop" -a -z "${rc_pid}" ]; then
  			if ! checkyesno ${rcvar}; then
  				if [ -n "${rc_quiet}" ]; then
  					return 0
 
 --------------050401080107000606050906--

From: John Blazek <freebsd.org@logicalsolutns.com>
To: Dimitry Andric <dim@FreeBSD.org>
Cc: bug-followup@FreeBSD.org,d@delphij.net
Subject: Re: conf/161710: SSHD starts on boot even if 
  sshd_enable=&quot;NO&quot; in 8.2
Date: Fri, 28 Oct 2011 18:56:52 -0500

 Awesome!
 
 At least I'm really not losing my mind!
 
 Well I might be anyway, but not in this case!
 
 Thank you!
 
 -john
 
 
 
 At 06:30 PM 10/28/2011, Dimitry Andric wrote:
 >Aha, now I see the cause of the problem.  A similar case to yours was
 >actually reported in conf/156427:
 >
 >  http://www.freebsd.org/cgi/query-pr.cgi?pr=156427
 >
 >There is an issue in /etc/rc.subr, which was introduced accidentally in
 >r206686, fixed in head in r220760, and later merged to stable/8 in
 >r220958:
 >
 >  http://svnweb.freebsd.org/base?view=revision&revision=220958
 >
 >but this was after 8.2 released, unfortunately.
 >
 >You should be able to fix it by applying just the diff to rc.subr, which
 >I have attached for your convenience.
 >
 >
 

From: John Blazek <freebsd.org@logicalsolutns.com>
To: Dimitry Andric <dim@FreeBSD.org>
Cc: bug-followup@FreeBSD.org,d@delphij.net
Subject: Re: conf/161710: SSHD starts on boot even if 
  sshd_enable=&quot;NO&quot; in 8.2
Date: Fri, 28 Oct 2011 19:05:22 -0500

 Hello,
 
 As you predicted, the patch resolved the dual sshd startup:
 
 
 [root@kahlua]:[~]# sockstat | grep ssh
 root     sshd       55696 2  tcp4   192.168.3.134:2220    192.168.3.142:1089
 root     sshd       55696 3  tcp4   192.168.3.134:2220    192.168.3.142:1089
 root     sshd       55696 4  tcp4   192.168.3.134:2220    192.168.3.142:1089
 root     sshd       8361  3  tcp6   *:22200               *:*
 root     sshd       8361  4  tcp4   *:22200               *:*
 
 
 Thanks again.
 
 Sorry for making you find something that had already been fixed.
 
 I guess there is no good way to add that patch to the next 8.2-px ?
 
 
 -john
 
 
 *******************
 Awesome!
 
 At least I'm really not losing my mind!
 
 Well I might be anyway, but not in this case!
 
 Thank you!
 
 -john
 
 
 
 At 06:30 PM 10/28/2011, Dimitry Andric wrote:
 >Aha, now I see the cause of the problem.  A similar case to yours was
 >actually reported in conf/156427:
 >
 >  http://www.freebsd.org/cgi/query-pr.cgi?pr=156427
 >
 >There is an issue in /etc/rc.subr, which was introduced accidentally in
 >r206686, fixed in head in r220760, and later merged to stable/8 in
 >r220958:
 >
 >  http://svnweb.freebsd.org/base?view=revision&revision=220958
 >
 >but this was after 8.2 released, unfortunately.
 >
 >You should be able to fix it by applying just the diff to rc.subr, which
 >I have attached for your convenience.
 >
 
>Unformatted:
