[Bug 3726] New: `Include` in a file included in a Host-block

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Aug 31 13:33:03 AEST 2024 

https://bugzilla.mindrot.org/show_bug.cgi?id=3726

            Bug ID: 3726
           Summary: `Include` in a file included in a Host-block
           Product: Portable OpenSSH
           Version: 9.8p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: calestyo at scientia.org

Hey.

I've recently stumbled over the systemd-ssh-generator feature and it's
friend /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf which is per
default Included in many ssh_configs.
Not so in mine, where I only explicitly include files and not glob
patters from the /etc/ssh/sshd?_config.d directories .

So I've added a manual Include
/etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf in my .ssh/config

And whether that worked depend upon whether I included it either in the
very top of the file (which I assume is as it's in a Host * block) or
in an explicit Host * block.

If I included it "in" another block it didn't work.



Now that's in principle documented in ssh_config(5) in the Include
directive, but what's not mentioned there and IMO ambiguous is:
What if the included file (here
/etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf) contains itself a Host
block?

It does *not* seem - as one would expect - that these actually start a
new Host block, but instead they seems to be accounted for the one in
which the file is included.

Either that's a bug, or there should IMO at least be some warning, that
the whole (included) block will be ignored, or it should be documented
that there are "sub" Host blocks (which I think there are not).

Cheers,
Chris.

btw. 20-systemd-ssh-proxy.conf:
Host unix/* vsock/*
        ProxyCommand /usr/lib/systemd/systemd-ssh-proxy %h %p
        ProxyUseFdpass yes
        CheckHostIP no

        # Disable all kinds of host identity checks, since these
addresses are generally ephemeral.
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null

# Allow connecting to the local host directly via ".host"
Host .host
        ProxyCommand /usr/lib/systemd/systemd-ssh-proxy
unix/run/ssh-unix-local/socket %p
        ProxyUseFdpass yes
        CheckHostIP no

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list