Bug 1109251 - sshd -T does not show all (default) options, inconsistency
Summary: sshd -T does not show all (default) options, inconsistency
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssh
Version: 6.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Stanislav Zidek
: 1212104 (view as bug list)
Depends On:
Blocks: 1187521 1187597
TreeView+ depends on / blocked
Reported: 2014-06-13 13:36 UTC by Jiri Belka
Modified: 2015-10-12 17:17 UTC (History)
5 users (show)

The sshd configuration test mode, executed by the "sshd -T" command, did not display all default options and displayed certain other options incorrectly. With this update, the sshd test mode outputs all required default options and also prints the above-mentioned other options correctly. Output of the configuration test mode can be now safely applied as configuration input.
Clone Of:
: 1187521 1187597 (view as bug list)
Last Closed: 2015-07-22 06:45:44 UTC

Attachments (Terms of Use)
proposed patch (3.58 KB, patch)
2015-01-21 10:05 UTC, Jakub Jelen
no flags Details | Diff
adjusted patch (3.29 KB, patch)
2015-01-29 17:45 UTC, Jakub Jelen
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1335 normal SHIPPED_LIVE openssh bug fix and enhancement update 2015-07-20 17:52:59 UTC
Red Hat Bugzilla 1270931 None None None Never

Internal Trackers: 1270931

Description Jiri Belka 2014-06-13 13:36:41 UTC
Description of problem:

sshd -T does:

     -T      Extended test mode.  Check the validity of the configuration file, output the effective configuration to stdout and then exit.  Optionally,
             Match rules may be applied by specifying the connection parameters using one or more -C options.

the problem is it does not show all efective configuration. little annoying.

- default Cipher:

# grep Cipher /etc/ssh/sshd_config 
#Ciphers aes192-ctr
# /usr/sbin/sshd -T | grep -i cipher

- overriden Cipher:

# grep Cipher /etc/ssh/sshd_config 
Ciphers aes192-ctr
# /usr/sbin/sshd -T | grep -i cipher
ciphers aes192-ctr

ha, one could think that default values are not shown but this is not the case:

- UseLogin example (by default 'no)

# grep UseLogin /etc/ssh/sshd_config 
#UseLogin no
# /usr/sbin/sshd -T | grep -i uselogin
uselogin no
# man sshd_config | col -b | sed -n '/UseLogin/,/^$/p'
             Specifies whether login(1) is used for interactive login ses-
             sions.  The default is “no”.  Note that login(1) is never used
             for remote command execution.  Note also, that if this is
             enabled, X11Forwarding will be disabled because login(1) does not
             know how to handle xauth(1) cookies.  If UsePrivilegeSeparation
             is specified, it will be disabled after authentication.

             forwarders.  X11 forwarding is automatically disabled if UseLogin
             is enabled.

so why does it show some default options and some not? inconsistent.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. sshd -T | grep uselogin
2. sshd -T | grep cipher

Actual results:
1. shows default value
2. not output for default value, the option even not displayed

Expected results:
consistency, show values for all options even they are default

Additional info:

Comment 2 Jakub Jelen 2015-01-21 10:05:53 UTC
Created attachment 982237 [details]
proposed patch

I would say, that there are default values and "internal default values". Default values are set to their default values and then overwritten by config, because it is usually some boolean or simple string, that can be used by all the code.
Internal default values (ex. Ciphers, Macs, KexAlgorithms and some paths) are set default to null and they are handled only in exact places in code, because they are more specific.

As I browse through the code. This also apply for upstream package, so this is not some invention of us.

This can be little annoying so I propose patch to pull default values if they are not set at least in this dump_config mode.

Completely missing values:
 * GssKeyEx
 * GssStrictAcceptor
 * GssStoreRekey
 * AllowAgentForwarding
 * RequiredAuthentications1
 * RequiredAuthentications2

Values that output only if they are (re)defined in sshd_config:
 * Ciphers
 * Macs
 * KexAlgorithms
 * Banner
 * ForceCommand
 * ChrootDirectory
 * TrustedUserCAKeys
 * RevokedKeys
 * AuthorizedPrincipalsFile
 * AuthorizedKeysCommand
 * AuthorizedKeysCommandRunAs

I added missing values, and for values printing only it there was some redefinition I wrote new function to print also some default value (usually none or disabled). See proposed patch.
I hope this will be more convenient for you.

Comment 3 Jakub Jelen 2015-01-29 17:45:41 UTC
Created attachment 985703 [details]
adjusted patch

After some more thinking about this bug, I came up with some compromise solution. There is no reason to write all the options with parameter <NONE> or <EMPTY>, if there is not default value (or default value is empty), especially when the output of sshd -T can be used to generate new config file and this would break it

But I can't say that all the options were written out correctly, so I had to fix some:
 * HostCertificate was written wrong way
 * Banner was not written if it was not set (now writing "none")
 * AllowAgentForwarding was not written
 * GSSAPIKeyExchange, GSSAPIStrictAcceptorCheck, GSSAPIStoreCredentialsOnRekey were not written
 * UsePAM was written wrong way
 * RequiredAuthentications1 was missing
 * Ciphers, Macs, KexAlgorithms can be little bit misleading so I send them to output also

This ended my research and comparing manual pages with actual behaviour. I hope this will be acceptable for you, Jiri. If you have some more comments, I'm all ears.

Comment 4 Jakub Jelen 2015-02-03 16:18:46 UTC
One more thing found was difference between Ciphers and MACs shown in man sshd_config and things used by sshd. Patch modification can add missing items:

Ciphers: rijndael-cbc@lysator.liu.se
MACs: hmac-ripemd160@openssh.com

Comment 6 Jiri Belka 2015-03-05 09:16:34 UTC
I'm OK with proposal - dump active configuration and/or default values (yes|no), if a config is null/empty do not include it in listing. People parsing `/usr/sbin/sshd -T' output could detect these "empty" configurations themselves.

Comment 8 Jiri Belka 2015-03-05 09:23:14 UTC
[OT] Could we also "query" effective configuration from running sshd? ssh client was recently enhances to query protocol versions ("ssh -Q protocol-version": http://marc.info/?l=openbsd-cvs&m=142536536213836&w=2), so maybe if we could query running sshd for its configuration with "/usr/sbin/sshd -Q" it would be nice too.

If it would be possible I would create a RFE BZ. Let me know, thanks.

Comment 9 Jakub Jelen 2015-03-05 10:01:26 UTC
I don't know what is your use-case and what difference would be there to sshd -T. Yes, it is not querying running sshd, but nor ssh -Q is -- it is permanent configuration just loaded from config files.

There is no such thing as effective configuration, except the time you have changed sshd_config and not restarted sshd.

Yes, rhel6 ssh (client) doesn't support -Q option, but in context of this bugzilla, I would be for backporting -G option (if there will be some use case), which is equivalent of sshd -T option. -Q option is just subset of these features.

Comment 10 Jiri Belka 2015-03-05 10:18:22 UTC
Ah OK, bad understanding of "ssh -Q protocol-version" :)

Comment 14 Stanislav Zidek 2015-04-30 12:17:19 UTC
*** Bug 1212104 has been marked as a duplicate of this bug. ***

Comment 17 errata-xmlrpc 2015-07-22 06:45:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.