bugzilla-daemon at bugzilla.mindrot.org
2007-Nov-04 00:42 UTC
[Bug 1388] New: Parts of auth2-pubkey. c are completely devoid of debug logging
https://bugzilla.mindrot.org/show_bug.cgi?id=1388
Summary: Parts of auth2-pubkey.c are completely devoid of debug
logging
Classification: Unclassified
Product: Portable OpenSSH
Version: 4.7p1
Platform: Other
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: mvolaski at aecom.yu.edu
Consider this small section of code from the user_key_allowed2 function
in auth2-pubkey.c
/* Fail quietly if file does not exist */
if (stat(file, &st) < 0) {
/* Restore the privileged uid. */
restore_uid();
return 0;
}
/* Open the file containing the authorized keys. */
f = fopen(file, "r");
if (!f) {
/* Restore the privileged uid. */
restore_uid();
return 0;
}
Fail quietly? Why? And what about debugging? Someone trying to figure
out why authentication has failed is merely left with a statement from
later in the code sequence that just says the "key was disallowed".
That's not helpful, for it's not technically true.
(I haven't explored other sections of code, but in general, I think any
return statement in the middle of function is a failure of that
function should probably have an explanatory debug statement at some
level associated with it.)
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jun-28 14:13 UTC
[Bug 1388] Parts of auth2-pubkey.c are completely devoid of debug logging
https://bugzilla.mindrot.org/show_bug.cgi?id=1388
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> 2008-06-29
00:13:10 ---
think about it: if the file does not exist, then there are no
authorised keys. This is not an error, and doesn't warrant logspam,
even at debug levels.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jun-28 22:44 UTC
[Bug 1388] Parts of auth2-pubkey.c are completely devoid of debug logging
https://bugzilla.mindrot.org/show_bug.cgi?id=1388
mvolaski at aecom.yu.edu changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WONTFIX |
Severity|enhancement |normal
--- Comment #2 from mvolaski at aecom.yu.edu 2008-06-29 08:44:14 ---
After all this time we're waiting for a fix and you're just blowing it
off? It doesn't even look like you read my report. Please hand it off
to someone else if you don't feel so inclined.
By your own backward logic, how does a nonexistent key get reported as
being disallowed?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jun-29 00:01 UTC
[Bug 1388] Parts of auth2-pubkey.c are completely devoid of debug logging
https://bugzilla.mindrot.org/show_bug.cgi?id=1388
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |WONTFIX
--- Comment #3 from Damien Miller <djm at mindrot.org> 2008-06-29
10:00:58 ---
Sorry, but I don't agree that there is any condition worth reporting
here. You don't need debug output to figure out that a file that is
critical to public key authentication is missing.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jun-29 00:42 UTC
[Bug 1388] Parts of auth2-pubkey.c are completely devoid of debug logging
https://bugzilla.mindrot.org/show_bug.cgi?id=1388 --- Comment #4 from mvolaski at aecom.yu.edu 2008-06-29 10:42:12 --- Yeah, it took me the better part of a day to figure out that the message, "key is disallowed" really means the key file is missing. Perhaps users in the future who get similarly stymied will find this page on Google. They surely can't depend on your nicely informative debug logs to help them. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jul-22 02:20 UTC
[Bug 1388] Parts of auth2-pubkey.c are completely devoid of debug logging
https://bugzilla.mindrot.org/show_bug.cgi?id=1388
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #5 from Damien Miller <djm at mindrot.org> 2008-07-22
12:20:22 ---
Mass update RESOLVED->CLOSED after release of openssh-5.1
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- [Bug 467] iptables is complaining with bogus unknown error 18446744073709551615
- [Bug 468] There is no real documentation for knowing how to configure the kernel for iptables
- Any word on when the ietf mib will be fixed for liebert?
- Filesystem won't mount because of "unsupported optional features (80)"
- auth2-pubkey.c - change an error message