bugzilla-daemon at bugzilla.mindrot.org
2016-Dec-26 22:41 UTC
[Bug 2653] New: Including files without read access in ssh configuration fails without error
https://bugzilla.mindrot.org/show_bug.cgi?id=2653
Bug ID: 2653
Summary: Including files without read access in ssh
configuration fails without error
Product: Portable OpenSSH
Version: 7.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 2920
--> https://bugzilla.mindrot.org/attachment.cgi?id=2920&action=edit
proposed patch
When one is using Include directive in ssh_config and the file is not
readable for a user running ssh, it fails without reasonable error
message:
/etc/ssh/ssh_config: terminating, 1 bad configuration options
It is pretty hard to get, especially when the include works on the
whole drop-in directory, such as:
Include /etc/ssh/ssh_config.d/*.conf
Only log level DEBUG3 shows some pointer where does it come from.
debug3: /etc/ssh/ssh_config line 56: Including file
/etc/ssh/ssh_config.d/10-kex.conf depth 0
/etc/ssh/ssh_config: terminating, 1 bad configuration options
We already ignore failures if the included file does not exist. If it
exists and we don't have permissions to read it, we should either get
better error or ignore it too (as we already do in case of standard
configuration files).
This is not a problem when reading the configuration files directly,
because the return value of the call to read_config_file() is ignored
in ssh.c (honored only in case of -F switch).
Possible solution to resolve this issue, to report read error, but
ignore it from the include files is to introduce new flag (see attached
patch, which fixes the problem for me).
This was originally reported as in Red Hat bugzilla [1].
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1408558
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jan-06 03:08 UTC
[Bug 2653] Including files without read access in ssh configuration fails without error
https://bugzilla.mindrot.org/show_bug.cgi?id=2653
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2920|0 |1
is obsolete| |
Status|NEW |ASSIGNED
Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
CC| |djm at mindrot.org,
| |dtucker at zip.com.au
Attachment #2928| |ok?(dtucker at zip.com.au)
Flags| |
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 2928
--> https://bugzilla.mindrot.org/attachment.cgi?id=2928&action=edit
fatal() on Include errors other than ENOENT
read_config_file_depth() only ever returns failure on fopen() errors,
everything else goes via fatal(), so we can simplify this a bit.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jan-06 03:08 UTC
[Bug 2653] Including files without read access in ssh configuration fails without error
https://bugzilla.mindrot.org/show_bug.cgi?id=2653
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2647
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jan-06 03:12 UTC
[Bug 2653] Including files without read access in ssh configuration fails without error
https://bugzilla.mindrot.org/show_bug.cgi?id=2653
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2928|ok?(dtucker at zip.com.au) |ok+
Flags| |
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jan-06 03:54 UTC
[Bug 2653] Including files without read access in ssh configuration fails without error
https://bugzilla.mindrot.org/show_bug.cgi?id=2653
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
appled - thanks
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jan-06 12:06 UTC
[Bug 2653] Including files without read access in ssh configuration fails without error
https://bugzilla.mindrot.org/show_bug.cgi?id=2653
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|FIXED |---
Status|RESOLVED |REOPENED
--- Comment #3 from Jakub Jelen <jjelen at redhat.com> ---
This does not look right. Trying with the attached patch I am
experiencing weird behavior:
[root at f24 openssh]# ssh -vvv localhost
OpenSSH_7.4p1, OpenSSL 1.1.0c-fips 10 Nov 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 56: Including file
/etc/ssh/ssh_config.d/01-test.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/01-test.conf
Can't open user config file /etc/ssh/ssh_config.d/01-test.conf: Success
This is happening only when the first included file does not include
any further files that would set errno to ENOENT. If all the parsing
went without any problem, the errno stays zero and the failure as above
prevents the execution.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Mar-11 23:57 UTC
[Bug 2653] Including files without read access in ssh configuration fails without error
https://bugzilla.mindrot.org/show_bug.cgi?id=2653
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Damien Miller <djm at mindrot.org> ---
This has been fixed for a while. The test now looks like:
> if (r != 1 && errno != ENOENT) {
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:02 UTC
[Bug 2653] Including files without read access in ssh configuration fails without error
https://bugzilla.mindrot.org/show_bug.cgi?id=2653
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Reasonably Related Threads
- PKCS#11 URIs in OpenSSH
- [PATCH 1/1] document all hash algorithms available for key fingerprint display
- [Bug 2693] New: ssh: Include'ed host is not resolved by ssh
- [Bug 2817] New: Add support for PKCS#11 URIs (RFC 7512)
- [Doc] Extension of Included configuration files