Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-93957

[RfE] Please make it possible to opt out from the new ssh help message (RHEL 9.6)

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • openssh-9.9p1-11.el10
    • Low
    • 1
    • rhel-security-crypto
    • ssg_security
    • 26
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25July
    • Hide

      AC: help message is updated and is shown when debug1 level or higher is used

      Show
      AC: help message is updated and is shown when debug1 level or higher is used
    • Pass
    • Not Needed
    • Automated
    • Bug Fix
    • Hide
      .SSH connection fail no longer displays verbose help message

      Before this update, when SSH connection failed, a message with common SSH errors and a link to Red Hat help was displayed. As a consequence, the help message in the error output broke user scripts and automation. With this update, the help message displays only when SSH is run with log level `debug1` or higher. As a result, the error output does not include any unexpected messages by default.
      Show
      .SSH connection fail no longer displays verbose help message Before this update, when SSH connection failed, a message with common SSH errors and a link to Red Hat help was displayed. As a consequence, the help message in the error output broke user scripts and automation. With this update, the help message displays only when SSH is run with log level `debug1` or higher. As a result, the error output does not include any unexpected messages by default.
    • Done
    • Done
    • Done
    • Unspecified
    • All
    • None

       

      On RHEL 9.6 ssh now prints this:

       

       

      $  ssh localhost -p 12345
ssh: connect to host localhost port 12345: Connection refused
You can find some explanations for typical errors at this link:
            https://red.ht/support_rhel_ssh

       

      First of all, I think the text could be improved to look more serious:

       

      The link below provides guidance on resolving common SSH errors:
            https://red.ht/support_rhel_ssh

       

       

      Second, there is no possibility to 'opt-out' of the message -  a divergence from 30 years of ssh -.

       

      I am therefore submitting this updated patch to work around the problem:

       

       

      [root@rh9x64 ~]# ssh localhost -p 12345
ssh: connect to host localhost port 12345: Connection refused
The link below provides guidance on resolving common SSH errors:
            https://red.ht/support_rhel_ssh
[root@rh9x64 ~]# touch /etc/ssh/advanced_ssh_users
[root@rh9x64 ~]# ssh localhost -p 12345
ssh: connect to host localhost port 12345: Connection refused

       

      patch:

       

      // openssh-8.7p1-redhat-help.patch 
diff -rNu openssh-8.7p1.orig/ssh.c openssh-8.7p1/ssh.c
--- openssh-8.7p1.orig/ssh.c    2025-05-28 06:48:37.448998092 -0400
+++ openssh-8.7p1/ssh.c 2025-05-28 07:50:19.498156177 -0400
@@ -175,6 +175,20 @@
 extern u_int muxclient_command;
 
 /* Prints a help message to the user.  This function never returns. */
+static void
+redhat_usage(void)
+{
+       if(isatty(fileno(stderr))) {
+               if (access("/etc/ssh/advanced_ssh_users", F_OK) == 0) {
+                       return;
+               } else {
+                       fprintf(stderr,
+"\nThe link below provides guidance on resolving common SSH errors:\n"
+"          https://red.ht/support_rhel_ssh\n"
+                       );
+               }
+       }
+}
 
 static void
 usage(void)
@@ -188,6 +202,7 @@
 "           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n"
 "           [-w local_tun[:remote_tun]] destination [command]\n"
        );
+       redhat_usage();
        exit(255);
 }
 
@@ -1609,8 +1624,10 @@
        /* Open a connection to the remote host. */
        if (ssh_connect(ssh, host, host_arg, addrs, &hostaddr, options.port,
            options.connection_attempts,
-           &timeout_ms, options.tcp_keep_alive) != 0)
+           &timeout_ms, options.tcp_keep_alive) != 0) {
+               redhat_usage();
                exit(255);
+       }
 
        if (addrs != NULL)
                freeaddrinfo(addrs);

       

       

        1. openssh-8.7p1-45.2.el9.src.rpm
          2.28 MB

              zfridric Zoltan Fridrich
              vcojot@redhat.com Vincent Cojot
              Thorsten Scherf
              Zoltan Fridrich Zoltan Fridrich
              Miluse Bezo Konecna Miluse Bezo Konecna
              Zuzana Fantini Zoubkova Zuzana Fantini Zoubkova
              Votes:
              19 Vote for this issue
              Watchers:
              38 Start watching this issue

                Created:
                Updated: