cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Autodetecting sshd options (was Re: Unavailable sshd when not in PATH)

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Mon, 2 Apr 2007 11:27:56 -0700

On Mon, Apr 02, 2007 at 03:22:10AM +0200, Yang Tse wrote:
> Commited a change that finds out the SSH daemon version, and bails out
> if it isn't OpenSSH 3.7 or later.

It's working for me, although it looks like the -V option isn't designed
to show the version information; I get messages "option requires an
argument" and "illegal option" depending on the sshd version, but it works
anyway. As long as some future version of OpenSSH doesn't change -V to mean
"delete all accessible files under $HOME", we'll be ok.

I also discovered a problem in the option checking code, where leading
whitespace from the wc command messed up the return code. Here's a patch
to fix that, plus speed things up by eliminating the command pipeline.

Index: sshserver.pl
===================================================================
RCS file: /cvsroot/curl/curl/tests/sshserver.pl,v
retrieving revision 1.10
diff -u -p -r1.10 sshserver.pl
--- sshserver.pl 2 Apr 2007 04:14:59 -0000 1.10
+++ sshserver.pl 2 Apr 2007 18:01:53 -0000
@@ -115,8 +115,7 @@ if (($ssh_daemon !~ /OpenSSH/) || (10 *
 # Check here for possible unsupported options, avoiding its use in sshd.
 sub sshd_supports_opt($) {
     my ($option) = @_;
- my $err = 1;
- chomp($err = qx($sshd -t -o $option=no 2>&1 | grep $option 2>&1 | wc -l));
+ my $err = grep /$option/, qx($sshd -t -o $option=no 2>&1);
     return !$err;
 }

There is still a problem in that when sshd is run in this way it will load
all its normal configuration files and if those files are invalid
this will return the wrong results. Also, this will pick up
deprecated option warnings and incorrectly treat those options as unusable.
A better approach would be to write the entire curl_sshd_config file each
time and use that to do the test.
 
> I have some reasons to pick even later versions as the minimum OpenSSH
> version supported for the SCP and SFTP tests.
>
> OpenSSH version 3.8 and later support Kerberos 5 authentication and
> authorization through Network Authentication Service Version 1.4. Any
> future test related with this stuff will raise the minimum to 3.8,
> version which already is three years old.
>
> OpenSSH version 3.9 and later have the same behaviour relative to the
> authentications options when PAM support is built in. In other words
> version 3.9 is the first one to stabilize the PAM support interface,
> version which is 2,5 years old.
>
> My personal minimum version choice would be 3.9, this should ease out
> coding of sshserver.pl for all the other checks that you foresee.

As long as 3.7 works with the requuirements of the current test suite, let's
leave it at that for now.

> After all, if someone is running the bleeding edge version of libcurl,
> why not require at least a 2,5 years old version of OpenSSH to run the
> tests?

Because many hosts the need a recent libcurl aren't necessarily running
recent versions of everything else. For example, I work with four
different web hosting firms that are running >4 year old OSes, because
there's no need for them to risk upgrading. But if their customers start
requesting the latest version of PHP and PHP/curl, they'll want to do
upgrade that only with a minimum of fuss.

Skipping tests if sshd is too old is actually a pretty minor problem in the
long run and wouldn't even be a big deal in the hypothetical example
above (unless running the tests would have shown a broken libssh2
implemention or something), but philosophically, I think it's worth
expending a bit of effort to try to make things work on a wide variety
of versions.

> If someday it is done, besides OpenSSH supporting also the other
> mainstream SSH daemon 'SSH Secure Shell' will bring 'additional fun'.

Definitely!

>>> Dan

-- 
http://www.MoveAnnouncer.com              The web change of address service
          Let webmasters know that your web site has moved
Received on 2007-04-02