Thanks for the review! Comments below.

On 07/01/2016 07:42 AM, Martin Basti wrote:

On 29.06.2016 20:46, Ben Lipton wrote:
The attached patch silences some annoying messages I've been getting when upgrading the freeipa-client package on F24:
WARNING: 'UseLogin yes' is not supported in Fedora and may cause several problems.
This will be fixed by openssh-7.2p2-9.fc24 ( so we probably shouldn't worry about it.
Could not load host key: /etc/ssh/ssh_host_dsa_key
This is because by default sshd looks for all of /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key, but Fedora doesn't generate a DSA key by default.

Since the script causing the message only looks at the return code from sshd to determine the right options to use, I thought it might be ok to discard the output. What do you think?


Hello, I don't like to hiding errors/warnings. Can you determine and solve the root cause?

I definitely agree with this in principle, but in this case the purpose of this code is to try different, potentially wrong, parameters to sshd until it finds a combination that it accepts. It seems like in some environments this would produce error messages that aren't actionable and don't indicate any problem for package function, which is why I didn't think these messages were necessarily worth preserving.

On the other hand, if the code makes the wrong decision about sshd version we might be interested in error logs that show why. Can we log this to a file instead of the console, maybe?

If you'd prefer just addressing the root cause, a patch that prevents the missing host key error is attached, but it won't stop the error messages showing up when openssh is an older version.

From afb460c2fe3b8329ae5b8ed9603db8723e79c34a Mon Sep 17 00:00:00 2001
From: Ben Lipton <>
Date: Thu, 7 Jul 2016 10:28:04 -0400
Subject: [PATCH] Use existing HostKey config to test sshd

Prevents sshd from producing warning messages on package upgrade because
not all of the default host key files (/etc/ssh/ssh_host_dsa_key,
/etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and
/etc/ssh/ssh_host_rsa_key) are present.
--- | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ b/
index ff27a32eebcc640cdbc8895f47732f06a90c4a1b..4a339869257df4b599b774ec7ac728d43ab33ff5 100644
--- a/
+++ b/
@@ -1007,17 +1007,21 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
             /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
         ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
-        if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
+        # Prevent complaints about missing host keys by using the configured ones
+        tmp_config=$(mktemp sshd_config.XXXXXX)
+        sed -n '/^HostKey[ \t]/ p' /etc/ssh/sshd_config > $tmp_config
+        if /usr/sbin/sshd -t -f $tmp_config -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
             sed -ri '
                 s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
                 s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
             ' /etc/ssh/sshd_config.ipanew
-        elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
+        elif /usr/sbin/sshd -t -f $tmp_config -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
             sed -ri '
                 s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
                 s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
             ' /etc/ssh/sshd_config.ipanew
-        elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
+        elif /usr/sbin/sshd -t -f $tmp_config -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
             sed -ri '
                 s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
                 s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to