[Freeipa-devel] [PATCH] 0001: Silence sshd messages during install

Mon Aug 8 12:25:01 UTC 2016


On 08.08.2016 13:58, Alexander Bokovoy wrote:
> On Mon, 08 Aug 2016, Jan Cholasta wrote:
>> On 19.7.2016 08:40, Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 9.7.2016 14:46, Ben Lipton wrote:
>>>> On 07/07/2016 11:19 AM, Ben Lipton wrote:
>>>>>
>>>>> Thanks for the review! Comments below.
>>>>>
>>>>>
>>>>> On 07/01/2016 07:42 AM, Martin Basti wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 29.06.2016 20:46, Ben Lipton wrote:
>>>>>>> The attached patch silences some annoying messages I've been 
>>>>>>> getting
>>>>>>> when upgrading the freeipa-client package on F24:
>>>>>>> """
>>>>>>> WARNING: 'UseLogin yes' is not supported in Fedora and may cause
>>>>>>> several problems.
>>>>> This will be fixed by openssh-7.2p2-9.fc24
>>>>> (https://bugzilla.redhat.com/show_bug.cgi?id=1350347) so we probably
>>>>> shouldn't worry about it.
>>>>>>> Could not load host key: /etc/ssh/ssh_host_dsa_key
>>>>> This is because by default sshd looks for all of
>>>>> /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
>>>>> /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key, but
>>>>> Fedora doesn't generate a DSA key by default.
>>>>>>> """
>>>>>>>
>>>>>>> Since the script causing the message only looks at the return code
>>>>>>> from sshd to determine the right options to use, I thought it might
>>>>>>> be ok to discard the output. What do you think?
>>>>>>>
>>>>>>> Ben
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Hello, I don't like to hiding errors/warnings. Can you determine and
>>>>>> solve the root cause?
>>>>>
>>>>> I definitely agree with this in principle, but in this case the
>>>>> purpose of this code is to try different, potentially wrong,
>>>>> parameters to sshd until it finds a combination that it accepts. It
>>>>> seems like in some environments this would produce error messages 
>>>>> that
>>>>> aren't actionable and don't indicate any problem for package 
>>>>> function,
>>>>> which is why I didn't think these messages were necessarily worth
>>>>> preserving.
>>>>>
>>>>> On the other hand, if the code makes the wrong decision about sshd
>>>>> version we might be interested in error logs that show why. Can we 
>>>>> log
>>>>> this to a file instead of the console, maybe?
>>>>>
>>>>> If you'd prefer just addressing the root cause, a patch that prevents
>>>>> the missing host key error is attached, but it won't stop the error
>>>>> messages showing up when openssh is an older version.
>>>>>
>>>>> Thanks,
>>>>> Ben
>>>>>
>>>>>
>>>> Whoops, realized that my patch created a tempfile and didn't delete 
>>>> it.
>>>> Updated.
>>>
>>> I think the first version of the patch was OK. sshd is called only to
>>> check which set of authorized keys options to use, we don't really care
>>> about anything else, so we can safely ignore whatever it puts to 
>>> stderr.
>>
>> Bump.
>>
>> ACK on the first version of the patch 
>> (freeipa-blipton-0001-Silence-sshd-messages-during-install.patch).
>>
>> Anyone against pushing it?
> Given that newer OpenSSH version will silence it anyway, I'm OK with the
> interim fix.
Pushed to master: c15ba1f9e8c7d236586d46271fce7c3950b509da