Christian Hesse
2015-Jul-01 08:30 UTC
[PATCH 1/1] update error messages about moduli and primes files
From: Christian Hesse <mail at eworm.de>
Both files can be used, so mention both in error messages.
Signed-off-by: Christian Hesse <mail at eworm.de>
---
dh.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/dh.c b/dh.c
index 4c639ac..450f5c4 100644
--- a/dh.c
+++ b/dh.c
@@ -153,8 +153,8 @@ choose_dh(int min, int wantbits, int max)
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
(f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
- logit("WARNING: %s does not exist, using fixed modulus",
- _PATH_DH_MODULI);
+ logit("WARNING: neither %s nor %s exists, using fixed modulus",
+ _PATH_DH_MODULI, _PATH_DH_PRIMES);
return (dh_new_group_fallback(max));
}
@@ -182,7 +182,8 @@ choose_dh(int min, int wantbits, int max)
if (bestcount == 0) {
fclose(f);
- logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
+ logit("WARNING: no suitable primes in %s or %s",
+ _PATH_DH_MODULI, _PATH_DH_PRIMES);
return (dh_new_group_fallback(max));
}
--
2.4.5
Ole Holm Nielsen
2015-Jul-10 08:40 UTC
[PATCH 1/1] update error messages about moduli and primes files
Thanks to Christian Hesse <mail at eworm.de> for fixing a logging bug.
The logit() messages are identical in releases 6.6 through 6.9.
Question: Could this patch be backported to older releases as well? Then
it would appear in major distributions using 6.6, for example RHEL 7 and
CentOS 7, and become helpful to a lot of users.
Furthermore, I would like to add a suggestion for the patch:
We're running an OpenSSH server on CentOS 7.1 (RPM:
openssh-6.6.1p1-12.el7_1.x86_64) and we have seen some puzzling warnings
(related to the above patch) in the syslog:
sshd[16815]: WARNING: /etc/ssh/moduli does not exist, using fixed modulus
It turned out that my /etc/ssh/moduli file had gotten an erroneous
SELinux security context by mistake. The correct SELinux security
context is:
# ls -Z /etc/ssh/moduli
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ssh/moduli
Suggestion: Could you replace the logit() warning message:
logit("WARNING: neither %s nor %s exists, using fixed modulus",
by a possibly more informative message:
logit("WARNING: neither %s nor %s can be opened, using fixed
modulus",
Thanks,
Ole
--
Ole Holm Nielsen
Department of Physics, Technical University of Denmark
Jakub Jelen
2015-Jul-14 06:54 UTC
[PATCH 1/1] update error messages about moduli and primes files
On 07/10/2015 10:40 AM, Ole Holm Nielsen wrote:> Thanks to Christian Hesse <mail at eworm.de> for fixing a logging bug. > The logit() messages are identical in releases 6.6 through 6.9. > > Question: Could this patch be backported to older releases as well? > Then it would appear in major distributions using 6.6, for example > RHEL 7 and CentOS 7, and become helpful to a lot of users.Openssh usually doesn't make bugfix releases of previous versions. If you are interested to see it in next update of RHEL/CentOS, you can fill RFE bug in our (=redhat) bugzilla. I understand that this can be misleading, but I don't think this is critical issue that needs to be fixed ASAP. -- Jakub Jelen Security Technologies Red Hat
Christian Hesse
2015-Aug-21 09:12 UTC
[PATCH 1/1] update error messages about moduli and primes files
Christian Hesse <list at eworm.de> on Wed, 2015/07/01 10:30:> From: Christian Hesse <mail at eworm.de> > > Both files can be used, so mention both in error messages. > > Signed-off-by: Christian Hesse <mail at eworm.de>I have sent some patches here. Will anybody care? Or is there any better place to put them? -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);} -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150821/85dedbc2/attachment.bin>
Damien Miller
2015-Aug-21 10:00 UTC
[PATCH 1/1] update error messages about moduli and primes files
On Fri, 21 Aug 2015, Christian Hesse wrote:> Christian Hesse <list at eworm.de> on Wed, 2015/07/01 10:30: > > From: Christian Hesse <mail at eworm.de> > > > > Both files can be used, so mention both in error messages. > > > > Signed-off-by: Christian Hesse <mail at eworm.de> > > I have sent some patches here. Will anybody care? Or is there any better > place to put them?Yes, https://bugzilla.mindrot.org/ is the best place to put patches to ensure they don't get lost. -d