On 07/07/2016 11:19 AM, Ben Lipton wrote:

Thanks for the review! Comments below.

On 07/01/2016 07:42 AM, Martin Basti wrote:

On 29.06.2016 20:46, Ben Lipton wrote:
The attached patch silences some annoying messages I've been getting when upgrading the freeipa-client package on F24:
WARNING: 'UseLogin yes' is not supported in Fedora and may cause several problems.
This will be fixed by openssh-7.2p2-9.fc24 (https://bugzilla.redhat.com/show_bug.cgi?id=1350347) so we probably shouldn't worry about it.
Could not load host key: /etc/ssh/ssh_host_dsa_key
This is because by default sshd looks for all of /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key, but Fedora doesn't generate a DSA key by default.

Since the script causing the message only looks at the return code from sshd to determine the right options to use, I thought it might be ok to discard the output. What do you think?


Hello, I don't like to hiding errors/warnings. Can you determine and solve the root cause?

I definitely agree with this in principle, but in this case the purpose of this code is to try different, potentially wrong, parameters to sshd until it finds a combination that it accepts. It seems like in some environments this would produce error messages that aren't actionable and don't indicate any problem for package function, which is why I didn't think these messages were necessarily worth preserving.

On the other hand, if the code makes the wrong decision about sshd version we might be interested in error logs that show why. Can we log this to a file instead of the console, maybe?

If you'd prefer just addressing the root cause, a patch that prevents the missing host key error is attached, but it won't stop the error messages showing up when openssh is an older version.


Whoops, realized that my patch created a tempfile and didn't delete it. Updated.

From 035fbe343876afbdae1c38f0eeebf0492c1a2850 Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Thu, 7 Jul 2016 10:28:04 -0400
Subject: [PATCH] Use existing HostKey config to test sshd

Prevents sshd from producing warning messages on package upgrade because
not all of the default host key files (/etc/ssh/ssh_host_dsa_key,
/etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and
/etc/ssh/ssh_host_rsa_key) are present.
 freeipa.spec.in | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ff27a32eebcc640cdbc8895f47732f06a90c4a1b..abb8b8db2c764eb4ef5733383bb2edbb244af955 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1007,23 +1007,28 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
             /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
         ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
-        if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
+        # Prevent complaints about missing host keys by using the configured ones
+        tmp_config=$(mktemp sshd_config.XXXXXX)
+        sed -n '/^HostKey[ \t]/ p' /etc/ssh/sshd_config > $tmp_config
+        if /usr/sbin/sshd -t -f $tmp_config -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
             sed -ri '
                 s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
                 s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
             ' /etc/ssh/sshd_config.ipanew
-        elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
+        elif /usr/sbin/sshd -t -f $tmp_config -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
             sed -ri '
                 s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
                 s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
             ' /etc/ssh/sshd_config.ipanew
-        elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
+        elif /usr/sbin/sshd -t -f $tmp_config -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
             sed -ri '
                 s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
                 s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
             ' /etc/ssh/sshd_config.ipanew
+        rm -f $tmp_config
         mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
         chmod 600 /etc/ssh/sshd_config

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to