Bug 1222716 - libssh tries to read config from wrong crypto-policies location
Summary: libssh tries to read config from wrong crypto-policies location
Status: IN_PROGRESS
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Pedro Monreal Gonzalez
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-12 08:29 UTC by Fabian Vogt
Modified: 2024-04-15 06:20 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Vogt 2024-04-12 08:29:55 UTC 
libssh-config ships /etc/libssh/libssh_server.config which contains

# Parse system-wide crypto configuration file
Include /usr/etc/crypto-policies/back-ends/libssh.config

But there is no such file. It's supposed to be

/etc/crypto-policies/back-ends/libssh.config

Probably caused by the fix for bug 1211718.
Comment 1 Pedro Monreal Gonzalez 2024-04-12 08:45:45 UTC 
Right, the libssh.config location for CP should not be changed. I'll amend that in a moment.
Comment 2 Pedro Monreal Gonzalez 2024-04-12 09:03:36 UTC 
Factory submission: https://build.opensuse.org/request/show/1167009
Comment 3 Fabian Vogt 2024-04-12 11:46:14 UTC 
(In reply to Pedro Monreal Gonzalez from comment #2)
> Factory submission: https://build.opensuse.org/request/show/1167009

FWICT the logic for this is wrong:

If /etc/ssh/ssh_config exists, that file is read. If not, /usr/etc/ssh/ssh_config is read.

Currently libssh only reads the latter, so user configuration may get ignored.
Comment 4 Pedro Monreal Gonzalez 2024-04-12 13:22:47 UTC 
Right, the usretc change was not done correctly in TW. I think GLOBAL_CLIENT_CONFIG and GLOBAL_BIND_CONFIG should still point to %{_sysconfdir} and in the config files both %{_sysconfdir} and %{_distconfdir} should be Included, right?

So, I think the sed command:
> %if 0%{?suse_version} > 1600
> sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
> sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
> %endif

should be substituted by:

> %if 0%{?suse_version} > 1600
> install -d -m755 %{buildroot}%{_distconfdir}/libssh/
> mv %{buildroot}%{_sysconfdir}/libssh/libssh_client.config %{buildroot}%{_distconfdir}/libssh/
> mv %{buildroot}%{_sysconfdir}/libssh/libssh_server.config %{buildroot}%{_distconfdir}/libssh/
> echo "Include /usr/etc/ssh/ssh_config" >> %{buildroot}%{_distconfdir}/libssh/libssh_client.config
> %endif

I get an rpmlint complaint about non-etc-or-var-file-marked-as-conffile warning.
Comment 5 Fabian Vogt 2024-04-15 06:20:40 UTC 
(In reply to Pedro Monreal Gonzalez from comment #4)
> Right, the usretc change was not done correctly in TW. I think
> GLOBAL_CLIENT_CONFIG and GLOBAL_BIND_CONFIG should still point to
> %{_sysconfdir} and in the config files both %{_sysconfdir} and
> %{_distconfdir} should be Included, right?

It's a bit more complex than that unfortunately.

According to https://en.opensuse.org/openSUSE:Packaging_UsrEtc, packages must not ship files in /etc, neither upstream nor distro ones. If distro config is necessary, the file is put somewhere into /usr/etc, /usr/share, /usr/lib (according to preference) and only read if there is no user configuration in /etc.

For libssh this means that it needs a code change to read /etc/libssh/libssh_{client,server}.config first and if that doesn't exist, /usr/etc/libssh/libssh_{client,server}.config.

Such a patch would probably get accepted upstream, /usr/lib is the most commonly used location.