Bug 1222716

Summary: libssh tries to read config from wrong crypto-policies location
Product: [openSUSE] openSUSE Tumbleweed Reporter: Fabian Vogt <fvogt>
Component: SecurityAssignee: Pedro Monreal Gonzalez <pmonrealgonzalez>
Status: IN_PROGRESS --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: pmonrealgonzalez, security-team
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Fabian Vogt 2024-04-12 08:29:55 UTC 
libssh-config ships /etc/libssh/libssh_server.config which contains

# Parse system-wide crypto configuration file
Include /usr/etc/crypto-policies/back-ends/libssh.config

But there is no such file. It's supposed to be

/etc/crypto-policies/back-ends/libssh.config

Probably caused by the fix for bug 1211718.
Comment 1 Pedro Monreal Gonzalez 2024-04-12 08:45:45 UTC 
Right, the libssh.config location for CP should not be changed. I'll amend that in a moment.
Comment 2 Pedro Monreal Gonzalez 2024-04-12 09:03:36 UTC 
Factory submission: https://build.opensuse.org/request/show/1167009
Comment 3 Fabian Vogt 2024-04-12 11:46:14 UTC 
(In reply to Pedro Monreal Gonzalez from comment #2)
> Factory submission: https://build.opensuse.org/request/show/1167009

FWICT the logic for this is wrong:

If /etc/ssh/ssh_config exists, that file is read. If not, /usr/etc/ssh/ssh_config is read.

Currently libssh only reads the latter, so user configuration may get ignored.
Comment 4 Pedro Monreal Gonzalez 2024-04-12 13:22:47 UTC 
Right, the usretc change was not done correctly in TW. I think GLOBAL_CLIENT_CONFIG and GLOBAL_BIND_CONFIG should still point to %{_sysconfdir} and in the config files both %{_sysconfdir} and %{_distconfdir} should be Included, right?

So, I think the sed command:
> %if 0%{?suse_version} > 1600
> sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
> sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
> %endif

should be substituted by:

> %if 0%{?suse_version} > 1600
> install -d -m755 %{buildroot}%{_distconfdir}/libssh/
> mv %{buildroot}%{_sysconfdir}/libssh/libssh_client.config %{buildroot}%{_distconfdir}/libssh/
> mv %{buildroot}%{_sysconfdir}/libssh/libssh_server.config %{buildroot}%{_distconfdir}/libssh/
> echo "Include /usr/etc/ssh/ssh_config" >> %{buildroot}%{_distconfdir}/libssh/libssh_client.config
> %endif

I get an rpmlint complaint about non-etc-or-var-file-marked-as-conffile warning.
Comment 5 Fabian Vogt 2024-04-15 06:20:40 UTC 
(In reply to Pedro Monreal Gonzalez from comment #4)
> Right, the usretc change was not done correctly in TW. I think
> GLOBAL_CLIENT_CONFIG and GLOBAL_BIND_CONFIG should still point to
> %{_sysconfdir} and in the config files both %{_sysconfdir} and
> %{_distconfdir} should be Included, right?

It's a bit more complex than that unfortunately.

According to https://en.opensuse.org/openSUSE:Packaging_UsrEtc, packages must not ship files in /etc, neither upstream nor distro ones. If distro config is necessary, the file is put somewhere into /usr/etc, /usr/share, /usr/lib (according to preference) and only read if there is no user configuration in /etc.

For libssh this means that it needs a code change to read /etc/libssh/libssh_{client,server}.config first and if that doesn't exist, /usr/etc/libssh/libssh_{client,server}.config.

Such a patch would probably get accepted upstream, /usr/lib is the most commonly used location.