-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libssh: OpenSSH config files can make curl ignore CURLOPT_SSH_KNOWNHOSTS #4972
Comments
Hello @fds242, This happens because of the order the configuration options are set. The priority order of the settings in libssh are:
The idea behind overriding the applications defaults with the global configurations is to keep the list of used algorithms up-to-date even when the application code is not frequently updated. And for the local configurations overriding the system-wide configurations is to give the user the option to easily override the system-wide defaults. The problem here is that there are options set through
|
That proposed new ordering sounds perfect. Would be great if it worked like that with libcurl, keeping the OpenSSH config files as a source of defaults, but still allowing the developer – and in turn, the users of that developer's software – to have the last say over settings. What's a little curious is that it already behaves like this with certain options, such as taking a Only minor observation I have is that it feels unfortunate if simply calling |
Actually libssh does exactly this: if
The option to override the global default configuration file is provided as a libssh build configuration option. You can define
These configuration options were provided exactly to allow the responsible for building libssh (normally a package maintainer) to set the defaults for the target system. |
I forgot to mention that you will need libssh >= 0.9.0 to have such behaviour. I understand it is quite new to be adopted as the minimum requirement as it was released last year. Maybe a solution would be to parse manually the configuration files for older versions, but I'm afraid there is no way to get the right system defaults for the global configuration files. |
Previously, options set explicitly through command line options could be overridden by the configuration files parsed automatically when ssh_connect() was called. By calling ssh_options_parse_config() explicitly, the configuration files are parsed before setting the options, avoiding the options override. Once the configuration files are parsed, the automatic configuration parsing is not executed. Fixes curl#4972 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Previously, options set explicitly through command line options could be overridden by the configuration files parsed automatically when ssh_connect() was called. By calling ssh_options_parse_config() explicitly, the configuration files are parsed before setting the options, avoiding the options override. Once the configuration files are parsed, the automatic configuration parsing is not executed. Fixes curl#4972 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Thank you @ansasaki, tested & can confirm it does work as expected now! By no means an exhaustive test concerning all the options that could be affected. My original issue, overriding the known hosts file, does work now in that the curl option now gets the final say over an OpenSSH config file. |
LibSSH is a little too smart and eager, which can result in highly unexpected behavior. By default, it goes ahead and follows any instructions in the default OpenSSH configuration file,
~/.ssh/config
.Consider, for example,
~/.ssh/config
containing this directive:Now you can try all you want to override the known hosts file location in libcurl, it will be summarily ignored:
I posit this is rather unwelcome, unexpected behavior for the common libcurl developer, bound to cause much head-scratching as to what is going on. On the other hand, I feel reading the OpenSSH configuration files is a welcome feature for people using the command-line curl tool.
As such, I'm not entirely sure of the right solution here.
I have modified my lib/vssh/libssh.c like this:
And that gives me back ultimate control over the known hosts location, making this libcurl developer happy, while also not entirely throwing away the OpenSSH config parsing feature in all use cases.
Still, if even this much is considered too drastic, I'd recommend adding a notice to the documentation page, something along the lines of: “When curl is built with libssh, this option will be entirely ignored if overridden by a UserKnownHostsFile directive in ~/.ssh/config“
None of these strange surprises of course if curl is compiled with libssh2 instead.
The text was updated successfully, but these errors were encountered: