openssh bugs - Jul 2022 - [Bug 3460] New: sshd -T aborts when no hostkeys are available and does not emit any parsed configuration

https://bugzilla.mindrot.org/show_bug.cgi?id=3460

            Bug ID: 3460
           Summary: sshd -T aborts when no hostkeys are available and does
                    not emit any parsed configuration
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dkg at fifthhorseman.net

over in https://bugs.debian.org/959726 the debian postinst script for
openssh-server is being discussed.  That postinst script needs to parse
the sshd_config file to figure out what host keys need to be created.

I'm sure this isn't the only sysadmin-related tooling that tries to do
such a task.

rather than re-implementing the configfile parser with some janky
approximation with perl, it'd be nicer to use `sshd -T` to get a
normalized form and then parse the results more simply.

However, that's not possible for the postinst script because `sshd -T`
aborts with an error and fails to emit any parsed configuration if no
hostkeys are available (error message: "sshd: no hostkeys available --
exiting.")

I don't know what other errors in the configuration might cause sshd -T
to abort with a failure, but it would be nice if it would go ahead and
emit the parsed configuration anyway.

(if this seems wrong to do by default for whatever reason, perhaps a
distinct option besides -T could be used to emit the parsed
configuration regardless of whether there is an error)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3460

Stephanie <tylercashea33 at icloud.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tylercashea33 at icloud.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3460

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at dtucker.net
   Attachment #3664|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3664
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3664&action=edit
Add sshd -G flag

The reason why we haven't done this in the past is that -T is
advertised as an "extended test" mode that will verify various
configuration-related things and *then* print the config.

Maybe we should add a dedicated "config dump" mode (maybe using -G
like
ssh) that doesn't do this?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3460

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3664|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
Comment on attachment 3664
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3664
Add sshd -G flag

usage() also needs updating.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3460

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3533
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
This has been committed and will be in OpenSSH 9.3


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3533
[Bug 3533] tracking bug for openssh-9.3
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3460

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
OpenSSH 9.3 has been released. Close resolved bugs

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.