SSH: sss_ssh_knownhost must succeed if the backend is stopped

sss_ssh_knownhosts requires that SSSD's 'ssh' service is launched to work properly. But if it is not launched or it is anyhow stopped, the tool MUST NOT fail and let the ssh client continue its job. :fixes: If the ssh backend is not running, sss_ssh_knownhosts will not fail (but it will not return the keys).
SSSD · Jan 6, 2025 · ae88b7d · ae88b7d
1 parent ae6a0ff
commit ae88b7d
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 4 deletions.
diff --git a/src/man/sss_ssh_knownhosts.1.xml b/src/man/sss_ssh_knownhosts.1.xml
@@ -50,6 +50,9 @@
             <refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum>
             </citerefentry> man page for more details about this option.
         </para>
+        <para>
+            This tool requires that SSSD's ssh service is enabled to work properly.
+        </para>
     </refsect1>
 
     <refsect1 id='options'>
@@ -112,8 +115,9 @@
     <refsect1 id='exit_status'>
         <title>EXIT STATUS</title>
         <para>
-            In case of successful execution, even if no key was found, 0 is
-            returned. 1 is returned in case of error.
+            In case of successful execution, even if no key was found or the ssh
+            backend could not be contacted, 0 is returned. 1 is returned in case
+            of error.
         </para>
     </refsect1>
 

diff --git a/src/sss_client/ssh/sss_ssh_knownhosts.c b/src/sss_client/ssh/sss_ssh_knownhosts.c
@@ -142,6 +142,11 @@ static errno_t known_hosts(TALLOC_CTX *mem_ctx, const char *domain,
         DEBUG(SSSDBG_FUNC_DATA,
               "sss_ssh_get_ent() found no entry\n");
         goto done;
+    } else if (ret == ECONNREFUSED) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Unable to connect to the 'ssh' backend. "
+              "Is SSSD's 'ssh' service enabled?\n");
+        goto done;
     } else if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE,
               "sss_ssh_get_ent() failed (%d): %s\n", ret, sss_strerror(ret));
@@ -242,8 +247,9 @@ int main(int argc, const char **argv)
     res = known_hosts(mem_ctx, pc_domain, pc_host, pc_only_host_name);
     if (res != EOK) {
         /* On a successful execution, even if no key was found,
-         * ssh expects EXIT_SUCCESS. */
-        ret = (res == ENOENT ? EXIT_SUCCESS : EXIT_FAILURE);
+         * ssh expects EXIT_SUCCESS.
+         * Do not return an error if the ssh service if not running.*/
+        ret = (res == ENOENT || res == ECONNREFUSED ? EXIT_SUCCESS : EXIT_FAILURE);
         goto fini;
     }