[Bug 3207] New: Match blocks ignored in files processed by Include

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Sep 1 02:53:25 AEST 2020 

https://bugzilla.mindrot.org/show_bug.cgi?id=3207

            Bug ID: 3207
           Summary: Match blocks ignored in files processed by Include
           Product: Portable OpenSSH
           Version: 8.3p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: devel at sapphirepaw.org

Setup: main config file with "Include /etc/ssh/sshd_config.d/*.conf"
line as the first active directive.  Create
/etc/ssh/sshd_config.d/test.conf with:

Match Group sftponly
ForceCommand internal-sftp
ChrootDirectory /sftp

Now, assuming a working chroot layout (/sftp owned root:root,
/sftp/home/testuser exists, testuser is in group sftponly and their
home dir is /home/testuser), run:

sshd -C 'user=testuser' -T

The ForceCommand and ChrootDirectory are not applied, both according to
the test output, and in practice.  Note that no error is generated.

An inverted approach will chroot all users, thus proving that the
config itself is successfully being loaded:

ChrootDirectory /sftp
Match Group ssh-users
ChrootDirectory none

Observed in Ubuntu 20.04, and unmodified builds of the 8.2p1 and 8.3p1
releases.  The man page does not indicate this limitation.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list