#1843 Add exit value section to sss_ssh_* man page pages
Closed: Fixed None Opened 6 years ago by rcritten.

The sss_ssh_* commands return non-zero on error but these values are not documented In fact, it is not documented that it would ever return a non-zero value.

I managed to somehow get sssd into a state where it couldn't communicate with the IPA backend. This caused connections from remote machines to error out. I saw this on my server secure log:

Mar 18 15:08:55 rawhide2 sshd[19335]: error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1

Sure enough, running this from a command-line returned the same error:

# sss_ssh_authorizedkeys admin
Error looking up public keys
# echo $?

I'm guessing it was a conscious choice to deny access on lookup failure to prevent a DoS against the key server. It would be nice to include this as well, if true.


Any error that would trigger a message to stderr might also trigger a sss_log() call, this would be more friendly to the admin than just "returned status 1".

Fields changed

owner: somebody => jcholast

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.0

Fields changed

patch: 0 => 1
status: new => assigned

resolution: => fixed
status: assigned => closed

This was actually fixed in the Beta.

milestone: SSSD 1.10.0 => SSSD 1.10 beta

Metadata Update from @rcritten:
- Issue assigned to jcholast
- Issue set to the milestone: SSSD 1.10 beta

2 years ago

Login to comment on this ticket.