Commit 153ae24b authored by Daiki Ueno's avatar Daiki Ueno

ssh-agent: Propagate stderr to journal when spawning ssh-add

ssh-add fails in certain occasions, such as when the file permissions
of private key is not unsafe.  To help diagnostics, propagate the
stderr output from the command to journal.

As the ssh commands send error message with trailing CR for each line,
we need to scrub it so as not to confuse journald.

https://bugzilla.gnome.org/show_bug.cgi?id=794361
parent ff561a38
......@@ -228,6 +228,7 @@ ensure_key (GkdSshAgentService *self,
const gchar *label;
GHashTable *fields;
GTlsInteraction *interaction;
gchar *standard_error;
gchar *argv[] = {
SSH_ADD,
......@@ -256,14 +257,15 @@ ensure_key (GkdSshAgentService *self,
g_object_unref (interaction);
if (!g_spawn_sync (NULL, argv, NULL,
G_SPAWN_STDOUT_TO_DEV_NULL | G_SPAWN_STDERR_TO_DEV_NULL,
G_SPAWN_STDOUT_TO_DEV_NULL,
gcr_ssh_askpass_child_setup, askpass,
NULL, NULL, &status, &error)) {
NULL, &standard_error, &status, &error)) {
g_warning ("couldn't run %s: %s", argv[0], error->message);
g_error_free (error);
} else if (!g_spawn_check_exit_status (status, &error)) {
g_message ("the %s command failed: %s", argv[0], error->message);
g_error_free (error);
g_printerr ("%s", _gkd_ssh_agent_canon_error (standard_error));
g_free (standard_error);
} else {
add_key (self, key);
}
......
......@@ -161,3 +161,19 @@ _gkd_ssh_agent_parse_public_key (GBytes *input,
return g_bytes_new_take (decoded, n_decoded);
}
gchar *
_gkd_ssh_agent_canon_error (gchar *str)
{
gchar *start = str;
gchar *end = str + strlen (str) + 1;
for (;;) {
start = strchr (start, '\r');
if (!start)
break;
memmove (start, start + 1, end - (start + 1));
}
return str;
}
......@@ -39,5 +39,6 @@ gboolean _gkd_ssh_agent_write_packet (GSocketConnection *connection,
GBytes *_gkd_ssh_agent_parse_public_key (GBytes *input,
gchar **comment);
gchar *_gkd_ssh_agent_canon_error (gchar *str);
#endif /* __GKD_SSH_AGENT_UTIL_H__ */
......@@ -73,12 +73,41 @@ test_parse_public (void)
}
}
static void
test_canon_error (void)
{
static const gchar input[] =
"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n"
"@ WARNING: UNPROTECTED PRIVATE KEY FILE! @\r\n"
"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n"
"Permissions 0620 for '/home/foo/.ssh/id_rsa' are too open.\r\n"
"It is required that your private key files are NOT accessible by others.\r\n"
"This private key will be ignored.\r\n";
static const gchar expected[] =
"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n"
"@ WARNING: UNPROTECTED PRIVATE KEY FILE! @\n"
"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n"
"Permissions 0620 for '/home/foo/.ssh/id_rsa' are too open.\n"
"It is required that your private key files are NOT accessible by others.\n"
"This private key will be ignored.\n";
gchar *p, *output;
p = g_strdup (input);
output = _gkd_ssh_agent_canon_error (p);
g_assert (output == p);
g_assert_cmpstr (expected, ==, output);
g_free (p);
}
int
main (int argc, char **argv)
{
g_test_init (&argc, &argv, NULL);
g_test_add_func ("/ssh-agent/util/parse_public", test_parse_public);
g_test_add_func ("/ssh-agent/util/canon_error", test_canon_error);
return g_test_run ();
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment