bugzilla-daemon at mindrot.org
2025-Apr-21 21:39 UTC
[Bug 3817] New: Replace debug2 "advance:" with "keytype, base64-encoded key not found:"
https://bugzilla.mindrot.org/show_bug.cgi?id=3817 Bug ID: 3817 Summary: Replace debug2 "advance:" with "keytype, base64-encoded key not found:" Product: Portable OpenSSH Version: 10.0p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: tom at hale.ee The debug2 "advance:" log message is confusing: it doesn't indicate that sshd was actually expecting to see {keytype, base64-encoded} in the string that follows. I spent over an hour of debugging to finally uncovered that, as the manual says:> The options (if present) consist of comma-separated option specifications. No spaces are permitted, except within double quotes.Here are 3 contiguous lines from a "LogLevel DEBUG3", and how I interpreted them: Apr 22 06:49:45 nas sshd[503091]: debug2: /root/.ssh/authorized_keys:10: check options: 'from="*.d.hale.ee,100.64.0.0/10,10.181.0.0/16" command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --log --target",restrict ssh-ed25519 AAAAAAAAREDACTED btrbk off-site archives 2025-04-21\n' Me: 'Okay, we read in line 10, and I'm seeing what was read in. All good.' Apr 22 06:49:45 nas sshd[503091]: debug2: /root/.ssh/authorized_keys:10: advance: 'command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --log --target",restrict ssh-ed25519 AAAAREDACTED btrbk off-site archives 2025-04-21\n' Me: 'The "from=" filter has been removed, so that must be all ok. We are advancing to check the "command=" part' Apr 22 06:49:45 nas sshd[503091]: debug1: restore_uid: 0/0 Me: 'Hmm, the "command=" failed. I need to debug the filter script' But no. Actually, "advance:" means: "keytype, base64-encoded key not found: <string>" Would a pull request for such likely be accepted? ### Extra info: Version: OpenSSH_9.6p1, OpenSSL 3.2.1 30 Jan 2024 Relevant code: https://github.com/openssh/openssh-portable/blob/b5b405fee7f3e79d44e2d2971a4b6b4cc53f112e/auth2-pubkeyfile.c#L294-L298 if (sshkey_read(found, &cp) != 0) { /* still no key? advance to next line*/ debug2("%s: advance: '%s'", loc, cp); goto out; } I note in the same files as above, a few lines up, at line 283: /* XXX djm: peek at key type in line and skip if unwanted */ -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-30 23:18 UTC
[Bug 3817] Replace debug2 "advance:" with "keytype, base64-encoded key not found:"
https://bugzilla.mindrot.org/show_bug.cgi?id=3817 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|10.0p1 |10.0p2 -- You are receiving this mail because: You are watching the assignee of the bug.
Apparently Analagous Threads
- Warning[3817] and REGISTER
- ssh/sshd hang after "debug2: channel 0: open confirm rwindow 0 rmax 32768"
- [Bug 2064] New: Enable logging of client_user at INFO priority rather than DEBUG2
- have anyone configured "synproxy state" beforce (Sorry for the previouly base64 encode mail caused by M$ outlook)
- soapenc:base64 and xsd:base64Binary