(In reply to Jakub Jelen from comment #0)
> Created attachment 3358 [details]
> Mark the RDomain configuration option unsupported on non-openbsd
> builds

I don't think that patch is correct.  sshd should fail with a warning on platforms that don't have an rdomain equivalent (in sshd.c:set_process_rdomain).  In the case of Linux, it's a little convoluted but it should end up using the code in openbsd-compat/port-net.c.

> Experimenting with RDomain configuration option on non-OpenBSD
> platform prevents sshd from accepting connections.

If the Linux rdomain code doesn't work as expected that's a separate issue.

> The release notes
> properly described this option as supported only on OpenBSD,

That was true when rdomain was added, but it's since added Linux support.

(In reply to Darren Tucker from comment #1)
> (In reply to Jakub Jelen from comment #0)
> > Created attachment 3358 [details]
> > Mark the RDomain configuration option unsupported on non-openbsd
> > builds
> 
> I don't think that patch is correct.  sshd should fail with a
> warning on platforms that don't have an rdomain equivalent (in
> sshd.c:set_process_rdomain).  In the case of Linux, it's a little
> convoluted but it should end up using the code in
> openbsd-compat/port-net.c.

Yes, that code contains only

> fatal("%s: not supported", __func__);

> > Experimenting with RDomain configuration option on non-OpenBSD
> > platform prevents sshd from accepting connections.
> 
> If the Linux rdomain code doesn't work as expected that's a separate
> issue.

There is no linux code for this configuration option.

> > The release notes
> > properly described this option as supported only on OpenBSD,
> 
> That was true when rdomain was added, but it's since added Linux
> support.

According to the code, this is still the case. See above. I did not investigate whether there is already a way to change rdomain for process in Linux, but having an option which is without warning in manual page breaking all connections is dangerous.

(In reply to Jakub Jelen from comment #2)
> (In reply to Darren Tucker from comment #1)
[...]
> > If the Linux rdomain code doesn't work as expected that's a
> > separate issue.
> 
> There is no linux code for this configuration option.

https://github.com/openssh/openssh-portable/blob/master/openbsd-compat/port-net.c#L48

> I did not
> investigate whether there is already a way to change rdomain for
> process in Linux, but having an option which is without warning in
> manual page breaking all connections is dangerous.

The problem looks to be specific to the Linux code.  On any platform other than OpenBSD or Linux (this is FreeBSD 10) I get this error at startup when attempting to set an rdomain:

$ sudo `pwd`/sshd -ddd -o rdomain=1
Routing domains are not supported on this platform
command-line line 0: bad routing domain

(In reply to Darren Tucker from comment #3)
> (In reply to Jakub Jelen from comment #2)
> > (In reply to Darren Tucker from comment #1)
> [...]
> > > If the Linux rdomain code doesn't work as expected that's a
> > > separate issue.
> > 
> > There is no linux code for this configuration option.
> 
> https://github.com/openssh/openssh-portable/blob/master/openbsd-
> compat/port-net.c#L48

But this is for set/get_rdomain() on socket. The above option is about setting the context for process, which is not supported in Linux:

https://github.com/openssh/openssh-portable/blob/master/openbsd-compat/port-net.c#L119

> > I did not
> > investigate whether there is already a way to change rdomain for
> > process in Linux, but having an option which is without warning in
> > manual page breaking all connections is dangerous.
> 
> The problem looks to be specific to the Linux code.  On any platform
> other than OpenBSD or Linux (this is FreeBSD 10) I get this error at
> startup when attempting to set an rdomain:
> 
> $ sudo `pwd`/sshd -ddd -o rdomain=1
> Routing domains are not supported on this platform
> command-line line 0: bad routing domain

Right. Thank you for checking. I missed this part of the code which is shared between listenaddress and rdomain options. But the patch as it is above, still address the original issue. If you think that the option should fail and not report as unsupported, I can rewrite the patch to do that.

One more clarification. The reproducer is just setting this in the sshd_config:

RDomain %D

With this configuration, restart and configuration parsing passes fine, but fails to accept connections:

sshd[4831]: Server listening on :: port 22.
systemd[1]: Started OpenSSH server daemon.
sshd[4833]: fatal: Unable to set routing domain: not supported in this platform

Indeed, setting up anything else fails already during the configuration parsing, so marking the configuration option as unsupported on non-OpenBSD builds would make sense from here.

ok thanks.  putting on list for next release.

Created attachment 3370 [details]
Mark the RDomain configuration option unsupported on non-openbsd builds v2

Second version -- we need to prevent dumping the configuration option too as it is would create invalid configuration files and testsuite would fail on Linux.

Created attachment 3386 [details]
fatal out if config has unsupported rdomain keyword

Revised patch which causes it to fatal out at parse time if rdomain is unsupported instead of just logging a warning.  Rationale: the user might think they have applied a restriction but actually have not.

It uses HAVE_SYS_SET_PROCESS_RDOMAIN in addition to __OpenBSD__ since that would be set if a platform did support it (although no platform currently does, the infrastructure is there).

It also removes the entry in the man page.  Rationale: there are many configuration options that depend on platform and/or build time support  and including all of them in the man page would be a) unwieldy and b) a maintenance burden since it would make it harder to keep in sync with upstream.

Patch applied, please let us know if you have any additional feedback or problems with it.

Thanks.

closing resolved bugs as of 8.6p1 release

[spam removed]