cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Unavailable sshd when not in PATH

From: Yang Tse <yangsita_at_gmail.com>
Date: Sat, 31 Mar 2007 19:06:04 +0200

This mail is related to this change
http://cool.haxx.se/cvs.cgi/curl/tests/sshserver.pl.diff?r1=1.7&r2=1.8

2007/3/31, Dan Fandrich wrote:

> The most recent change to sshserver.pl to auto-detect supported sshd_config
> options causes a problem.

Please Dan, which one/s ? Excuse me, I may have missed some facts or
some previous post(s) but from what you have written in the mail I'm
replying and from what I've tested, I don't know or have been unable
to see, which is/are the problem/s it introduces. I'm not saying they
don't exist, I'm only declaring my inability to see it/them at this
point.

If it actually introduces any problem not already present without it,
I'll be glad to address them, or if it there is no way to fix them
I'll revert the patch with no problem at all.

Once said that...

> Unfortunately, it's not as simple as checking
> for whether the options are supported to make it work on older versions.

The patch wasn't addressing the fact that the testsuite might not work
when using old OpenSSH versions. The testsuite will equally fail in
this case with the introduced change or even when reverted.

The description I used for the committed change literally was

"sshd might fail to start if given an unsupported configuration
option. Try to avoid this problem checking for some possible
unsupported options, and avoid using them in the configuration file."

It is exactly what the change is intended to do.

For example, latest version of OpenSSH (OpenSSH_4.6p1, OpenSSL 0.9.8e
23 Feb 2007) distributed with latest version of Cygwin
(1.5.24(0.156/4/2) 2007-01-31) does support options UseDNS and
ChallengeResponseAuthentication but does not support UsePAM option.

As you can see it is a modern version of OpenSSH and OpenSSL, so it
could have been built/compiled using --with-pam but the fact is that
it has not been done that way being the standard distribution. And I
suspect it is the default for OpenSSH, so most probably the UsePAM
option will be unsupported on most OpenSSH installations.

The need for the patch aroused from the fact that sshd failed to start
if the not supported option UsePAM was used, making the testsuite fail
tests 6XX.

With the patch applied to sshserver.pl it detected that UsePAM was
unsupported, didn't use that option, and what is more important tests
6XX did run and complete properly.

> Some older versions don't support -D properly, either, which would have
> to be removed.

The patch does not address at all the -D problem. It will still exist
with the patch applied or not.

> Plus, OpenSSH 3.1 as an example doesn't support the
> UsePAM option but it can't be made work in curl's test suite without it
> (at least I haven't been able to).

Then, if I'm not understanding you wrong, the testsuite should also be
verifying OpenSSH's version and skipping 6XX test cases if OpenSSH's
version is not greater than that one.

> Attempting to do so will make the
> test fail instead of making the test be skipped as it was before--this is
> much worse effect than the possible benefit gained by letting the test
> suite run on some older version.

We certainly need to check OpenSSH's version.

> The other options tested along with UsePAM were added around the same time
> to OpenSSH so there's marginal utility in checking for them separately.

As I've said above. Each of them might be supported or not
individually depending on how OpenSSH has been built. I haven't
checked with the OpenSSH source the possible dependencies that might
exist among them, but that might be something else we should address
with further improvements.

> Plus, there are other options that were added to newer OpenSSH versions
> (e.g. PermitUserEnvironment, UsePrivilegeSeparation) that would have to
> also be checked or the existing checks don't accomplish much on their
> own.

I agree with you. Further checks might also be needed, and should also
probably be done. I don't know which ones. You also with Daniel are
the experts and the fathers of all this and nearly all libcurl stuff.
I just wanted to help and contribute my little grain into the big
pile.

> Unless you've actually found a version of OpenSSH that can be made to
> run with the current set of checks that didn't run before, I think the
> last patch ought to be reverted.

Cygwin (1.5.24(0.156/4/2) 2007-01-31) with OpenSSH (OpenSSH_4.6p1,
OpenSSL 0.9.8e 23 Feb 2007) on a W2k client in a W2k3 server domain.

If you want need further checks on that machine we will have to wait
until Monday.

-- 
-=[Yang]=-
Received on 2007-03-31