-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hello everyone! i'd like to sincerely ask you to include a fix for ssh-copy-id bug i'll be linking below. it's a trivial fix which resolves https://bugzilla.mindrot.org/show_bug.cgi?id=2206 and eases life of many. it's been field-tested by redhat devs and users so i see no problem in incorporating it. http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.8p1-fix-ss h-copy-id-on-non-sh-shell.patch thanks a lot! R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlZUpSIACgkQ7mej6pjlbYQ5EgCfV4+MBrLPgW0HpDhdz0zGBMrb R5QAn1c/aU4PFDgNkO+9gJHxMWZoc2dK =s5/e -----END PGP SIGNATURE-----
Hi, On Tuesday 24 November 2015, Radek Podgorny wrote:> hello everyone! > > i'd like to sincerely ask you to include a fix for ssh-copy-id bug > i'll be linking below. it's a trivial fix which resolves > https://bugzilla.mindrot.org/show_bug.cgi?id=2206 and eases life of > many. it's been field-tested by redhat devs and users so i see no > problem in incorporating it. > > http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.8p1-fix >-ss h-copy-id-on-non-sh-shell.patch>> - umask 077 ; >> + exec sh -c 'umask 077; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1; if type restorecon >/dev/null 2>&1; then restorecon -F .ssh .ssh/authorized_keys; fi'" \ >> - mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; >> - if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \Does "exec sh -c ..." really make sense in general? People who are using non-posix login shells where not even "2>&1" or "&&" works are probably good candidates who would also link /bin/sh to point to a non-posix shell. Personally I think it's hard enough to write POSIX compatible shell scripts and I wouldn't start to add such hacks for fish and tcsh. Next week somebody may complain that his "shell" does not support "exec ...". cu, Rudi
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, On 11/25/2015 12:07 PM, Ruediger Meier wrote:> Hi, > > On Tuesday 24 November 2015, Radek Podgorny wrote: >> hello everyone! >> >> i'd like to sincerely ask you to include a fix for ssh-copy-id >> bug i'll be linking below. it's a trivial fix which resolves >> https://bugzilla.mindrot.org/show_bug.cgi?id=2206 and eases life >> of many. it's been field-tested by redhat devs and users so i see >> no problem in incorporating it. >> >> http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.8p1-fix >> >>- -ss h-copy-id-on-non-sh-shell.patch> > >>> - umask 077 ; + exec sh -c 'umask 077; mkdir -p .ssh && cat >> >>> .ssh/authorized_keys || exit 1; if type restorecon >/dev/null >>> 2>&1; then restorecon -F .ssh .ssh/authorized_keys; fi'" \ - >>> mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; - if >>> type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh >>> .ssh/authorized_keys ; fi" \ > > Does "exec sh -c ..." really make sense in general? People who are > using non-posix login shells where not even "2>&1" or "&&" works > are probably good candidates who would also link /bin/sh to point > to a non-posix shell. > > Personally I think it's hard enough to write POSIX compatible > shell scripts and I wouldn't start to add such hacks for fish and > tcsh. Next week somebody may complain that his "shell" does not > support "exec ...".i wouldn't be afraid of that. i think it's a common practice (no hard numbers for that, thou) that you leave the sh link pointed to posix shell at all times - there's too many things in the wild depending on that. anyway, i wouldn't call it a hack. you need a posix shell on the remote side and this so far the best method to state it. of course, someone may have a relly odd shell with no exec support or have the sh link pointing elsewhere but for such poor guy, the ssh-copy-id is not working today, anyway, so no real "breakage" happens. on the other hand, there's many people who would benefit from this patch and as it's backwards compatible, nothing gets broken for anyone. if - and that may never happen - in the future someone complains about his shell not being supported, let's find a better way. but until then i think this is a safe thing to do. thanks, R.> cu, Rudi >-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlZVnsQACgkQ7mej6pjlbYQavACeJEeA9swKxO8bzc6B+uCqLntH CNAAoKh5r/n2BrkeefN2H7cBc51FyiJk =f/zb -----END PGP SIGNATURE-----
On Wed, Nov 25, 2015 at 12:07:13PM +0100, Ruediger Meier wrote:>Does "exec sh -c ..." really make sense in general? People who are >using non-posix login shells where not even "2>&1" or "&&" works are >probably good candidates who would also link /bin/sh to point to a >non-posix shell.Non-posix login shells (csh et al) are not exactly uncommon. /bin/sh pointing to something non-posix is uncommon to the point of being unable to work on common systems. Mike Stone
On Wed, Nov 25, 2015 at 6:07 AM, Ruediger Meier <sweet_f_a at gmx.de> wrote:> Hi, > > On Tuesday 24 November 2015, Radek Podgorny wrote: >> hello everyone! >> >> i'd like to sincerely ask you to include a fix for ssh-copy-id bug >> i'll be linking below. it's a trivial fix which resolves >> https://bugzilla.mindrot.org/show_bug.cgi?id=2206 and eases life of >> many. it's been field-tested by redhat devs and users so i see no >> problem in incorporating it. >> >> http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.8p1-fix >>-ss h-copy-id-on-non-sh-shell.patch> Personally I think it's hard enough to write POSIX compatible shell > scripts and I wouldn't start to add such hacks for fish and tcsh. > Next week somebody may complain that his "shell" does not > support "exec ...".Making things work for more people, when it doesn't introduce a security risk or break other tools, seems very reasonable. And there are people out there who who do use both fish and tcsh. What seems to be missing in the patch is a comment line, above the stanza, explaining why the code uses "exec". It's great to be clever and solve a problem, but it boosts your pay and makes people who follow in your role hate you a lot less if they can understand why you chose a particular solution.
Hi Radek, Radek Podgorny <radek at podgorny.cz> writes:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > hello everyone! > > i'd like to sincerely ask you to include a fix for ssh-copy-id bug > i'll be linking below. it's a trivial fix which resolves > https://bugzilla.mindrot.org/show_bug.cgi?id=2206 and eases life of > many. it's been field-tested by redhat devs and users so i see no > problem in incorporating it. > > http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.8p1-fix-ss > h-copy-id-on-non-sh-shell.patchSeems fair enough to me. I've been meaning to do some maintenance on ssh-copy-id for quite a while, so thanks for the nudge -- that's what parenthood does for available spare time ;-) BTW I've just pushed this fix to my git repo: http://git.hands.com/ssh-copy-id hopefully that can be in the next OpenSSH release -- I'll endeavour to deal with some of the rest of the bug backlog in the next day or two. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151125/867daa4b/attachment-0001.bin>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 thanks for your effort, phil! R. On 11/25/2015 06:11 PM, Philip Hands wrote:> Hi Radek, > > Radek Podgorny <radek at podgorny.cz> writes: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> hello everyone! >> >> i'd like to sincerely ask you to include a fix for ssh-copy-id >> bug i'll be linking below. it's a trivial fix which resolves >> https://bugzilla.mindrot.org/show_bug.cgi?id=2206 and eases life >> of many. it's been field-tested by redhat devs and users so i see >> no problem in incorporating it. >> >> http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.8p1-fix- -ss>> >>h-copy-id-on-non-sh-shell.patch> > Seems fair enough to me. > > I've been meaning to do some maintenance on ssh-copy-id for quite > a while, so thanks for the nudge -- that's what parenthood does > for available spare time ;-) > > BTW I've just pushed this fix to my git repo: > > http://git.hands.com/ssh-copy-id > > hopefully that can be in the next OpenSSH release -- I'll endeavour > to deal with some of the rest of the bug backlog in the next day or > two. > > Cheers, Phil. >-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlZWOCsACgkQ7mej6pjlbYT5DwCffsVd2w/dUCL3BKEUgfxwj+QI PpsAnjRQP6MM38F3lMfR4fB8gFmAquiO =8CR0 -----END PGP SIGNATURE-----