[Bug 3122] New: New Include functionality does not work as documented

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Feb 18 21:46:12 AEDT 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3122

            Bug ID: 3122
           Summary: New Include functionality does not work as documented
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: grazzolini at archlinux.org

I have been trying to use the new Include functionality to expand a
sshd configuration in order to add a snippet of config that matches to
a user and use a custom AuthorizedKeysCommand to validate the ssh keys.

If I use the include functionality like this:

Include /etc/ssh/ssh.d/*

And on the /etc/ssh/ssh.d directory I have a config file like this:

Match User <user>
    PasswordAuthentication no
    AuthorizedKeysCommand <command> "%t" "%k"
    AuthorizedKeysCommandUser <user>
    AcceptEnv <some var>

It doesn't work. sshd -t tells me the syntax is valid and, when I run
sshd with -ddd I see the file getting parsed and loaded, but, when
trying to login it operates as if the AuthorizedKeysCommand isn't
there.

On the other hand, if I do something like this:

Match User <user>
    Include /etc/ssh/ssh.d/*

And on the /etc/ssh/ssh.d directory I have a config file like this:

PasswordAuthentication no
AuthorizedKeysCommand <command> "%t" "%k"
AuthorizedKeysCommandUser <user>
AcceptEnv <some var>

It does work.

It also works if I do something like dropping the Match from the main
config file:

Include /etc/ssh/ssh.d/*

Which leads me to conclude that the usage of Match on a included
configuration file does not work.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list