On 11.08.2016 15:40, Jan Cholasta wrote:
On 8.8.2016 14:25, Martin Basti wrote:

On 08.08.2016 13:58, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Jan Cholasta wrote:
On 19.7.2016 08:40, Jan Cholasta wrote:

On 9.7.2016 14:46, Ben Lipton wrote:
On 07/07/2016 11:19 AM, Ben Lipton wrote:

Thanks for the review! Comments below.

On 07/01/2016 07:42 AM, Martin Basti wrote:

On 29.06.2016 20:46, Ben Lipton wrote:
The attached patch silences some annoying messages I've been
when upgrading the freeipa-client package on F24:
WARNING: 'UseLogin yes' is not supported in Fedora and may cause
several problems.
This will be fixed by openssh-7.2p2-9.fc24
(https://bugzilla.redhat.com/show_bug.cgi?id=1350347) so we probably
shouldn't worry about it.
Could not load host key: /etc/ssh/ssh_host_dsa_key
This is because by default sshd looks for all of
/etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
/etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key, but
Fedora doesn't generate a DSA key by default.

Since the script causing the message only looks at the return code from sshd to determine the right options to use, I thought it might
be ok to discard the output. What do you think?


Hello, I don't like to hiding errors/warnings. Can you determine and
solve the root cause?

I definitely agree with this in principle, but in this case the
purpose of this code is to try different, potentially wrong,
parameters to sshd until it finds a combination that it accepts. It
seems like in some environments this would produce error messages
aren't actionable and don't indicate any problem for package
which is why I didn't think these messages were necessarily worth

On the other hand, if the code makes the wrong decision about sshd
version we might be interested in error logs that show why. Can we
this to a file instead of the console, maybe?

If you'd prefer just addressing the root cause, a patch that prevents
the missing host key error is attached, but it won't stop the error
messages showing up when openssh is an older version.


Whoops, realized that my patch created a tempfile and didn't delete

I think the first version of the patch was OK. sshd is called only to
check which set of authorized keys options to use, we don't really care
about anything else, so we can safely ignore whatever it puts to


ACK on the first version of the patch

Anyone against pushing it?
Given that newer OpenSSH version will silence it anyway, I'm OK with the
interim fix.
Pushed to master: c15ba1f9e8c7d236586d46271fce7c3950b509da

You pushed the wrong patch (0002).

Yes, sorry, I forgot how to numbers

Fixed patch attached.
From 2cd5037ee89bcb3ba3007c9c20ba3458d628eef0 Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Thu, 11 Aug 2016 15:39:35 +0200
Subject: [PATCH] Silence sshd messages during install

Fix for accidentally pushed commit c15ba1f9e8c7d236586d46271fce7c3950b509da

During install we call sshd with no config file, sometimes leading to it
complaining about missing files or bad config options. Since we're just
looking for the return code to see if the options are correct, we can
discard these error messages.
 freeipa.spec.in | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 78ab8ca5800eceba633fd9d1e3412ee3bde94c0e..ea580a20ac3fea42916271e7d9e906c0d67450e3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1009,21 +1009,17 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
             /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
         ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
-        # Prevent complaints about missing host keys by using the configured ones
-        tmp_config=$(mktemp sshd_config.XXXXXX)
-        sed -n '/^HostKey[ \t]/ p' /etc/ssh/sshd_config > $tmp_config
-        if /usr/sbin/sshd -t -f $tmp_config -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
+        if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then
             sed -ri '
                 s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
                 s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
             ' /etc/ssh/sshd_config.ipanew
-        elif /usr/sbin/sshd -t -f $tmp_config -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
+        elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then
             sed -ri '
                 s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
                 s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
             ' /etc/ssh/sshd_config.ipanew
-        elif /usr/sbin/sshd -t -f $tmp_config -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
+        elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then
             sed -ri '
                 s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
                 s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to