Bug 2277

Summary:

config: add option to customize moduli file location

Product:

Portable OpenSSH

Reporter:

Alon Bar-Lev <alon.barlev>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

enhancement

CC:

djm

Priority:

Version:

6.6p1

Hardware:

Other

OS:

Linux

URL:

https://github.com/openssh/openssh-portable/pull/2

Attachments:

Description	Flags
config-add-option-to-customize-moduli-file-location.patch	none

Description Alon Bar-Lev 2014-09-17 00:05:06 AEST

Created attachment 2475 [details]
config-add-option-to-customize-moduli-file-location.patch

Currently all files can be customized via sshd_config, however, the
moduli file cannot.

Running sshd in unprivileged context requires customization of all
resources, especially when some distributions sets the moduli as world
unreadable.

---

I hope I got this right. I could use the copy of options within the child process, but I preferred to use the rpc in order to pass all parameters, maybe you want this the other way arround.

This continue the series of unprivilege helpful functionality bug#2081, bug#2276.

Comment 1 Alon Bar-Lev 2015-03-03 20:20:42 AEDT

I cannot rebase this patch easily due to the split of ssh api, the kex is not linked against sshd and there is no [trivial] way to pass options.

I do not think the API as a library should access files in fixed locations, I suggest to consider either removing fixed location or adding ability to pass options to the api.

Another option is to control the moduli file location via the environment.

Comment 2 Damien Miller 2015-03-04 10:23:26 AEDT

(In reply to Alon Bar-Lev from comment #1)
> I cannot rebase this patch easily due to the split of ssh api, the
> kex is not linked against sshd and there is no [trivial] way to pass
> options.
> 
> I do not think the API as a library should access files in fixed
> locations, I suggest to consider either removing fixed location or
> adding ability to pass options to the api.

The API isn't close to stable yet, it's likely to change substantially before we are ready to expose for non-internal use

Comment 3 Alon Bar-Lev 2015-03-04 17:58:28 AEDT

(In reply to Damien Miller from comment #2)
> (In reply to Alon Bar-Lev from comment #1)
> > I cannot rebase this patch easily due to the split of ssh api, the
> > kex is not linked against sshd and there is no [trivial] way to pass
> > options.
> > 
> > I do not think the API as a library should access files in fixed
> > locations, I suggest to consider either removing fixed location or
> > adding ability to pass options to the api.
> 
> The API isn't close to stable yet, it's likely to change
> substantially before we are ready to expose for non-internal use

I understand.

Do you have any preferences of how to pass the file location into the kex module? For example, can we add options to ssh structure?

Comment 4 Damien Miller 2015-03-04 18:16:26 AEDT

(In reply to Alon Bar-Lev from comment #3)

> Do you have any preferences of how to pass the file location into
> the kex module? For example, can we add options to ssh structure?

Yes, something like that - ultimately we want to get rid of all global or file-static variables. 

Making it configurable will also help us write unit tests, so it's desirable for that too.

Comment 5 Damien Miller 2022-07-01 14:42:42 AEST

This was added in openssh-8.6

Comment 6 Damien Miller 2022-10-04 21:58:55 AEDT

Closing bugs from openssh-9.1 release cycle