Bug 3460

Summary:

sshd -T aborts when no hostkeys are available and does not emit any parsed configuration

Product:

Portable OpenSSH

Reporter:

Daniel Kahn Gillmor <dkg>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

enhancement

CC:

djm, dtucker, tylercashea33

Priority:

Version:

9.0p1

Hardware:

Other

OS:

Linux

Bug Depends on:

Bug Blocks:

3533

Attachments:

Description	Flags
Add sshd -G flag	dtucker: ok+

Description Daniel Kahn Gillmor 2022-07-13 01:26:42 AEST

over in https://bugs.debian.org/959726 the debian postinst script for openssh-server is being discussed.  That postinst script needs to parse the sshd_config file to figure out what host keys need to be created.

I'm sure this isn't the only sysadmin-related tooling that tries to do such a task.

rather than re-implementing the configfile parser with some janky approximation with perl, it'd be nicer to use `sshd -T` to get a normalized form and then parse the results more simply.

However, that's not possible for the postinst script because `sshd -T` aborts with an error and fails to emit any parsed configuration if no hostkeys are available (error message: "sshd: no hostkeys available -- exiting.")

I don't know what other errors in the configuration might cause sshd -T to abort with a failure, but it would be nice if it would go ahead and emit the parsed configuration anyway.

(if this seems wrong to do by default for whatever reason, perhaps a distinct option besides -T could be used to emit the parsed configuration regardless of whether there is an error)

Comment 1 Damien Miller 2023-02-10 14:44:38 AEDT

Created attachment 3664 [details]
Add sshd -G flag

The reason why we haven't done this in the past is that -T is advertised as an "extended test" mode that will verify various configuration-related things and *then* print the config.

Maybe we should add a dedicated "config dump" mode (maybe using -G like ssh) that doesn't do this?

Comment 2 Darren Tucker 2023-02-10 14:50:33 AEDT

Comment on attachment 3664 [details]
Add sshd -G flag

usage() also needs updating.

Comment 3 Damien Miller 2023-02-10 16:21:13 AEDT

This has been committed and will be in OpenSSH 9.3

Comment 4 Damien Miller 2023-03-17 13:41:53 AEDT

OpenSSH 9.3 has been released. Close resolved bugs