sshd -t to test configuration file syntax?
Pekka Savola
pekkas at netcore.fi
Thu Feb 22 04:11:26 EST 2001
On Wed, 21 Feb 2001, Markus Friedl wrote:
Patch attached.
Pretty important, especially now as a lot of options changed.
I hope this looks good -- I'd like this kind of functionality to be in
2.5.1p2.
> sounds useful.
>
> all you need is exit(0);
> after the
>
> /* Check certain values for sanity. */
> if (options.protocol & SSH_PROTO_1) {
> if (options.server_key_bits < 512 ||
> options.server_key_bits > 32768) {
> fprintf(stderr, "Bad server key size.\n");
> exit(1);
> ...
> }
>
> in sshd.c
>
>
> On Wed, Feb 21, 2001 at 05:21:08PM +0200, Pekka Savola wrote:
> > Hello all,
> >
> > sshd configuration file options change from one release to another.
> >
> > If you forget updating sshd_config, sshd will not start.
> >
> > This is especially painful for update scripts etc. where you can't do e.g.
> > 'sshd -p 2022' to see if it's okay.
> >
> > May I suggest some option, e.g. sshd -t, which would test config files and
> > other obvious issues and return an errorcode if something is broken?
> >
> > Does this seem useful?
> >
> > --
> > Pekka Savola "Tell me of difficulties surmounted,
> > Netcore Oy not those you stumble over and fall"
> > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
> >
> >
>
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
-------------- next part --------------
diff -uNr openssh_cvs/sshd.8 openssh_cvs.test/sshd.8
--- openssh_cvs/sshd.8 Thu Feb 15 15:07:48 2001
+++ openssh_cvs.test/sshd.8 Wed Feb 21 18:57:42 2001
@@ -43,7 +43,7 @@
.Nd secure shell daemon
.Sh SYNOPSIS
.Nm sshd
-.Op Fl diqD46
+.Op Fl diqtD46
.Op Fl b Ar bits
.Op Fl f Ar config_file
.Op Fl g Ar login_grace_time
@@ -240,6 +240,12 @@
Nothing is sent to the system log.
Normally the beginning,
authentication, and termination of each connection is logged.
+.It Fl t
+Test mode.
+Only check the validity of the configuration file and sanity of the keys.
+This is useful for updating
+.Nm sshd
+reliably as configuration options may change.
.It Fl u Ar len
This option is used to specify the size of the field
in the
diff -uNr openssh_cvs/sshd.c openssh_cvs.test/sshd.c
--- openssh_cvs/sshd.c Tue Feb 20 14:46:54 2001
+++ openssh_cvs.test/sshd.c Wed Feb 21 18:57:17 2001
@@ -112,6 +112,9 @@
*/
int debug_flag = 0;
+/* Flag indicating that the daemon should only test the configuration and keys. */
+int test_flag = 0;
+
/* Flag indicating that the daemon is being started from inetd. */
int inetd_flag = 0;
@@ -577,7 +580,7 @@
initialize_server_options(&options);
/* Parse command-line arguments. */
- while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:dDiqQ46")) != -1) {
+ while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:dDiqtQ46")) != -1) {
switch (opt) {
case '4':
IPv4or6 = AF_INET;
@@ -640,6 +643,9 @@
/* only makes sense with inetd_flag, i.e. no listen() */
inetd_flag = 1;
break;
+ case 't':
+ test_flag = 1;
+ break;
case 'u':
utmp_len = atoi(optarg);
break;
@@ -652,6 +658,7 @@
fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n");
fprintf(stderr, " -i Started from inetd\n");
fprintf(stderr, " -D Do not fork into daemon mode\n");
+ fprintf(stderr, " -t Only test configuration file and keys\n");
fprintf(stderr, " -q Quiet (no logging)\n");
fprintf(stderr, " -p port Listen on the specified port (default: 22)\n");
fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n");
@@ -737,6 +744,10 @@
fprintf(stderr, "Bad server key size.\n");
exit(1);
}
+ /* Configuration looks good, so exit if in test mode. */
+ if (test_flag)
+ exit(0);
+
/*
* Check that server and host key lengths differ sufficiently. This
* is necessary to make double encryption work with rsaref. Oh, I
More information about the openssh-unix-dev
mailing list