2277 – config: add option to customize moduli file location

Bug 2277 - config: add option to customize moduli file location

Summary: config: add option to customize moduli file location

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	6.6p1
Hardware:	Other Linux

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:	https://github.com/openssh/openssh-po...
Keywords:

Depends on:
Blocks:

Reported:	2014-09-17 00:05 AEST by Alon Bar-Lev
Modified:	2022-10-04 21:58 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
config-add-option-to-customize-moduli-file-location.patch (8.04 KB, patch) 2014-09-17 00:05 AEST, Alon Bar-Lev	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alon Bar-Lev 2014-09-17 00:05:06 AEST

Created attachment 2475 [details]
config-add-option-to-customize-moduli-file-location.patch

Currently all files can be customized via sshd_config, however, the
moduli file cannot.

Running sshd in unprivileged context requires customization of all
resources, especially when some distributions sets the moduli as world
unreadable.

---

I hope I got this right. I could use the copy of options within the child process, but I preferred to use the rpc in order to pass all parameters, maybe you want this the other way arround.

This continue the series of unprivilege helpful functionality bug#2081, bug#2276.

Comment 1 Alon Bar-Lev 2015-03-03 20:20:42 AEDT

I cannot rebase this patch easily due to the split of ssh api, the kex is not linked against sshd and there is no [trivial] way to pass options.

I do not think the API as a library should access files in fixed locations, I suggest to consider either removing fixed location or adding ability to pass options to the api.

Another option is to control the moduli file location via the environment.

Comment 2 Damien Miller 2015-03-04 10:23:26 AEDT

(In reply to Alon Bar-Lev from comment #1)
> I cannot rebase this patch easily due to the split of ssh api, the
> kex is not linked against sshd and there is no [trivial] way to pass
> options.
> 
> I do not think the API as a library should access files in fixed
> locations, I suggest to consider either removing fixed location or
> adding ability to pass options to the api.

The API isn't close to stable yet, it's likely to change substantially before we are ready to expose for non-internal use

Comment 3 Alon Bar-Lev 2015-03-04 17:58:28 AEDT

(In reply to Damien Miller from comment #2)
> (In reply to Alon Bar-Lev from comment #1)
> > I cannot rebase this patch easily due to the split of ssh api, the
> > kex is not linked against sshd and there is no [trivial] way to pass
> > options.
> > 
> > I do not think the API as a library should access files in fixed
> > locations, I suggest to consider either removing fixed location or
> > adding ability to pass options to the api.
> 
> The API isn't close to stable yet, it's likely to change
> substantially before we are ready to expose for non-internal use

I understand.

Do you have any preferences of how to pass the file location into the kex module? For example, can we add options to ssh structure?

Comment 4 Damien Miller 2015-03-04 18:16:26 AEDT

(In reply to Alon Bar-Lev from comment #3)

> Do you have any preferences of how to pass the file location into
> the kex module? For example, can we add options to ssh structure?

Yes, something like that - ultimately we want to get rid of all global or file-static variables. 

Making it configurable will also help us write unit tests, so it's desirable for that too.

Comment 5 Damien Miller 2022-07-01 14:42:42 AEST

This was added in openssh-8.6

Comment 6 Damien Miller 2022-10-04 21:58:55 AEDT

Closing bugs from openssh-9.1 release cycle