[Bug 2468] Option to include external files to sshd_config

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Sep 6 01:54:06 AEST 2016


https://bugzilla.mindrot.org/show_bug.cgi?id=2468

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2706|0                           |1
        is obsolete|                            |

--- Comment #3 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 2869
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2869&action=edit
Include server side (with same semantics as client)

(In reply to Zdenek Sedlak from comment #2)
> I would propose to simply pasting the lines from the config file at
> the position where the Include option is placed in the sshd_config

That was the initial idea and, if I am right. It is the way how it was
initially implemented. But the client side config was implemented in
more complex manner, that even the Include depends on the Match context
so implementing server side in different way does not seem like a good
idea.

> it would be nice to have an Includedir option like
> the sudo has.

Include with GLOB expansion does the same without additional complexity
of another option.

Reading the implementation of the client side config include, there
should be certainly some limit to the recursion and some regression
sanity test to make sure it does what it is supposed to do. Introducing
some more complexity would make it much harder to understand what is
going on there (though the debug log level is very helpful here).

(In reply to Damien Miller from comment #1)
> If inclusion operates just by pasting text in, then config_a could
> radically alter the following configuration if it includes a Match
> directive.
> 
> Similarly, config_c's application conditional on the previous Match
> succeeding?

The other possibility would be to reset the context for each include
file, but that looks even more confusing to me.

> I wish we had a brace-ful configuration language - it would make
> resolving these way simpler :/

That would be nice-to-have, but probably impossible to change now.

Attaching a new patch with a regression tests, providing the same
behavior as the client side config include.

Also added a check to make sure that the Include list is not empty
(missing in the client).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list