[Bug 2653] New: Including files without read access in ssh configuration fails without error

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Dec 27 09:41:30 AEDT 2016 

https://bugzilla.mindrot.org/show_bug.cgi?id=2653

            Bug ID: 2653
           Summary: Including files without read access in ssh
                    configuration fails without error
           Product: Portable OpenSSH
           Version: 7.3p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 2920
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2920&action=edit
proposed patch

When one is using Include directive in ssh_config and the file is not
readable for a user running ssh, it fails without reasonable error
message:

    /etc/ssh/ssh_config: terminating, 1 bad configuration options

It is pretty hard to get, especially when the include works on the
whole drop-in directory, such as:

    Include /etc/ssh/ssh_config.d/*.conf

Only log level DEBUG3 shows some pointer where does it come from.

    debug3: /etc/ssh/ssh_config line 56: Including file
/etc/ssh/ssh_config.d/10-kex.conf depth 0
    /etc/ssh/ssh_config: terminating, 1 bad configuration options

We already ignore failures if the included file does not exist. If it
exists and we don't have permissions to read it, we should either get
better error or ignore it too (as we already do in case of standard
configuration files).

This is not a problem when reading the configuration files directly,
because the return value of the call to read_config_file() is ignored
in ssh.c (honored only in case of -F switch).

Possible solution to resolve this issue, to report read error, but
ignore it from the include files is to introduce new flag (see attached
patch, which fixes the problem for me).

This was originally reported as in Red Hat bugzilla [1].

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1408558

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list