From nobody@FreeBSD.org  Thu Jan 17 11:37:45 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 7277E37B417
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 17 Jan 2002 11:37:44 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g0HJbiS63102;
	Thu, 17 Jan 2002 11:37:44 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200201171937.g0HJbiS63102@freefall.freebsd.org>
Date: Thu, 17 Jan 2002 11:37:44 -0800 (PST)
From: "David P. Discher" <dpd@dpdtech.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Hardcoded path for ssh-keygen in /etc/rc.network
X-Send-Pr-Version: www-1.0

>Number:         34003
>Category:       misc
>Synopsis:       Hardcoded path for ssh-keygen in /etc/rc.network
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    mtm
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          wish
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 17 11:40:01 PST 2002
>Closed-Date:    Fri Jan 10 06:25:31 PST 2003
>Last-Modified:  Fri Jan 10 06:25:31 PST 2003
>Originator:     David P. Discher
>Release:        FreeBSD 4.4
>Organization:
>Environment:
FreeBSD seven.dpdtech.com 4.4-RELEASE FreeBSD 4.4-RELEASE #0: Thu Jan 17 12:23:54 CST 2002     root@seven.dpdtech.com:/build/src/sys/compile/borg_fbsd44_20020117a  i386

>Description:
I found this awhile back, in the /etc/rc.network file, the path to ssh-keygen is hardcoded to /usr/bin/ssh-keygen.  The causes problems when trying to upgrade to new versions of OpenSSH from the ports collections.   This seems to be a slight oversight.

It might not be needed to change these files, but with the idea that the $sshd_program can be configured to a different location/version, but one can't point to the correct versions of the keygen program.
>How-To-Repeat:
Installing OpenSSH from the ports collections
>Fix:
1. Create a port that installs into the base system (probably not the best solution)
2.  Change the rc.conf  $sshd_program, to $sshd_prefix.  Then change /etc/rc and rc.network to use $sshd_prefix/sbin/sshd and $sshd_path/bin/ssh-keygen  or simliar.    

3. The ports collection should start the new versions of OpenSSH from /usr/local/etc/rc.d/ instead of  /etc/rc (but this does not seem to be currently done.

>Release-Note:
>Audit-Trail:

From: Mike Makonnen <mike_makonnen@yahoo.com>
To: "David P. Discher" <dpd@dpdtech.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: misc/34003: Hardcoded path for ssh-keygen in /etc/rc.network
Date: Thu, 17 Jan 2002 20:27:55 -0800

 On Thu, 17 Jan 2002 11:37:44 -0800 (PST)
 "David P. Discher" <dpd@dpdtech.com> wrote:
 
 > >Environment:
 > FreeBSD seven.dpdtech.com 4.4-RELEASE FreeBSD 4.4-RELEASE #0: Thu Jan
 17 12:23:54 CST 2002    
 root@seven.dpdtech.com:/build/src/sys/compile/borg_fbsd44_20020117a 
 i386
 > 
 > >Description:
 > I found this awhile back, in the /etc/rc.network file, the path to
 ssh-keygen is hardcoded to /usr/bin/ssh-keygen.  The causes problems
 when trying to upgrade to new versions of OpenSSH from the ports
 collections.   This seems to be a slight oversight.
 > 
 snip..
 > 2.  Change the rc.conf  $sshd_program, to $sshd_prefix.  Then change
 /etc/rc and rc.network to use $sshd_prefix/sbin/sshd and
 $sshd_path/bin/ssh-keygen  or simliar.    
 
 I think the best way to handle this is with a separate
 $ssh_keygen_program line. If you're going to do it, might as well go all
 the way. Since you are using 4.4 Release I have included a diff against
 that release, and in case someone thinks this is worthy of commiting,
 I've also included a patch against -current (the delta between -4.x and
 -current is too big for only one set of diffs).
 
 David, please note that you will have to overide the value of
 ssh_keygen_program in your local /etc/rc.conf.
 
 
 cheers,
 mike makonnen
 
 4.4-RELEASE:
 Index: etc/rc.network
 ===================================================================
 RCS file: /home/ncvs/src/etc/rc.network,v
 retrieving revision 1.74.2.23
 diff -u -r1.74.2.23 rc.network
 --- etc/rc.network	17 Aug 2001 07:26:38 -0000	1.74.2.23
 +++ etc/rc.network	18 Jan 2002 03:54:49 -0000
 @@ -744,11 +744,13 @@
  	[Yy][Ee][Ss])
  		if [ ! -f /etc/ssh/ssh_host_key ]; then
  			echo ' creating ssh RSA host key';
 -			/usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key
 +			${ssh_keygen_program:-/usr/bin/ssh-keygen} -N "" \
 +						-f /etc/ssh/ssh_host_key
  		fi
  		if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
  			echo ' creating ssh DSA host key';
 -			/usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key
 +			${ssh_keygen_program:-/usr/bin/ssh-keygen} -d -N "" \
 +						-f /etc/ssh/ssh_host_dsa_key
  		fi
  		;;
  	esac
 Index: etc/defaults/rc.conf
 ===================================================================
 RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
 retrieving revision 1.53.2.39.2.1
 diff -u -r1.53.2.39.2.1 rc.conf
 --- etc/defaults/rc.conf	14 Sep 2001 17:32:25 -0000	1.53.2.39.2.1
 +++ etc/defaults/rc.conf	18 Jan 2002 03:53:09 -0000
 @@ -165,6 +165,7 @@
  sshd_enable="NO"                # Enable sshd
  sshd_program="/usr/sbin/sshd"	# path to sshd, if you want a different
 one.
  sshd_flags=""                   # Additional flags for sshd.
 +ssh_keygen_program="/usr/bin/ssh-keygen"	# path to ssh-keygen
  
  ### Network Time Services options: ###
  timed_enable="NO"		# Run the time daemon (or NO).
 
 
 CURRENT:
 Index: rc.network
 ===================================================================
 RCS file: /home/ncvs/src/etc/rc.network,v
 retrieving revision 1.119
 diff -u -r1.119 rc.network
 --- rc.network	13 Dec 2001 04:21:18 -0000	1.119
 +++ rc.network	18 Jan 2002 03:24:28 -0000
 @@ -829,11 +829,13 @@
  	[Yy][Ee][Ss])
  		if [ ! -f /etc/ssh/ssh_host_key ]; then
  			echo ' creating ssh RSA host key';
 -			/usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key
 +			${ssh_keygen_program:-/usr/bin/ssh-keygen} -N "" \
 +						-f /etc/ssh/ssh_host_key
  		fi
  		if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
  			echo ' creating ssh DSA host key';
 -			/usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key
 +			${ssh_keygen_program:-/usr/bin/ssh-keygen} -d -N "" \
 +						-f /etc/ssh/ssh_host_dsa_key
  		fi
  		;;
  	esac
 Index: defaults/rc.conf
 ===================================================================
 RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
 retrieving revision 1.136
 diff -u -r1.136 rc.conf
 --- defaults/rc.conf	29 Dec 2001 19:42:54 -0000	1.136
 +++ defaults/rc.conf	18 Jan 2002 03:11:09 -0000
 @@ -155,6 +155,7 @@
  sshd_enable="NO"		# Enable sshd
  sshd_program="/usr/sbin/sshd"	# path to sshd, if you want a different
 one.
  sshd_flags=""			# Additional flags for sshd.
 +ssh_keygen_program="/usr/bin/ssh-keygen"	# path to ssh-keygen
  
  ### Network daemon (NFS) Need all portmap_enable="YES" ###
  amd_enable="NO"			# Run amd service with $amd_flags (or NO).
Responsible-Changed-From-To: freebsd-bugs->mtm 
Responsible-Changed-By: mtm 
Responsible-Changed-When: Wed Jan 8 02:58:39 PST 2003 
Responsible-Changed-Why:  
I wrote a follow up. I'll take this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34003 

From: Mike Makonnen <mtm@identd.net>
To: "David P. Discher" <dpd@dpdtech.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: misc/34003: Hardcoded path for ssh-keygen in /etc/rc.network
Date: Wed, 8 Jan 2003 06:18:02 -0500

 --=.gx?D)nK'a+.jIP
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: 7bit
 
 I've looked into this some more. It looks like your original reason for
 submitting this report no longer holds. The ports ssh
 (/usr/ports/security/openssh and /usr/ports/security/openssh-portable) contain
 scripts to start and shut them down. You should therefore disable sshd in
 the base system by specifying sshd_enable=no in rc.conf and run the ports
 sshd through the supplied /usr/local/etc/rc.d script.
 Can I close this problem report?
 
 Cheers.
 -- 
 Mike Makonnen  | GPG-KEY: http://www.identd.net/~mtm/mtm.asc
 mtm@identd.net | Fingerprint: D228 1A6F C64E 120A A1C9  A3AA DAE1 E2AF DBCC 68B9
 
 --=.gx?D)nK'a+.jIP
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.1 (FreeBSD)
 
 iD8DBQE+HAj32uHir9vMaLkRAiRhAJ9S7xSNhGXZyEo/60KTA30FtDuvlwCgruiy
 LUZHp++kzO1oJu6yh9bL1rI=
 =0DT+
 -----END PGP SIGNATURE-----
 
 --=.gx?D)nK'a+.jIP--
State-Changed-From-To: open->feedback 
State-Changed-By: mtm 
State-Changed-When: Wed Jan 8 03:56:33 PST 2003 
State-Changed-Why:  
This shouldn't be an issue any more. I'm waiting 
on the originator to confirm it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34003 
State-Changed-From-To: feedback->closed 
State-Changed-By: mtm 
State-Changed-When: Fri Jan 10 06:23:57 PST 2003 
State-Changed-Why:  
Originator agrees original conditions no longer hold. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34003 
>Unformatted:
