sshd marked as requires restart ( Centos6 )

[mphilipps]

hi,
We have noticed that on our Centos6 Servers sshd is always marked as requiring a restart when someone is using the internal-sftp.

From our sshd config:

Match User some-user
ChrootDirectory /chroot/%u
ForceCommand internal-sftp -f AUTH -l INFO -u 002
PasswordAuthentication yes
X11Forwarding no
AllowTcpForwarding no

When running needrestart with -v it complains about not finding the sshd binary, presumably because it is running in a chroot?

The odd thing for me is that we only see that on Centos 6, but we use the same ssh config on all of our servers.

[liske]

Could you please provide the output of needrestart -v?

[mphilipps]

https://gist.github.com/mphilipps/cab84ba1354d20ad6bd048741483ac15

[liske]

When running needrestart with -v it complains about not finding the sshd binary, presumably because it is running in a chroot?

Yes and I'm already pondering for some time to ignore missing binary files. While running on GNU/Linux this should be OK since the map file (/proc/$PID/maps) should be more reliable if using namespaces or chroots.

The odd thing for me is that we only see that on Centos 6, but we use the same ssh config on all of our servers.

I have no idea, another needrestart -v dump from a non-affected system might give us an idea.

[mphilipps]

Here is a dump from a non-affected Centos 7 System. (ssh isn't mentioned)
https://gist.github.com/mphilipps/860563d2af03cd73cdb2ec30dea44e0c

Quite a bit has changed between Centos 6 to Centos 7. Different init system (upstart -> systemd), openssh 5.3 vs 7.4 (+ Redhat Patches).

selinux is disabled on both of them.

[liske]

The default configuration has been changed to ignore non-existing files (see also #152) which should fix your issue, too.

[mphilipps]

Noted, going to test this as soon as 3.5 is released.

[mphilipps]

issue still exists.