[Bug 3841] New: Configuration parser is broken

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Jun 23 07:22:50 AEST 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3841

            Bug ID: 3841
           Summary: Configuration parser is broken
           Product: Portable OpenSSH
           Version: 10.0p2
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: insideable at gmail.com

A preceding 'Host' entry prevents a subsequent 'Include' directive from
working

Version Information:

    OpenSSH: OpenSSH_10.0p2 (as reported by ssh -V)
    OpenSSL: OpenSSL 3.5.0 8 Apr 2025
    System: Linux x86_64


Problem Description:

When any `Host` entry exists in ~/.ssh/config before an `Include`
directive, the aliases and hosts within the included files are not
recognized. 

Moving the `Include` directive to be the very first line in the file
resolves the issue. 

This behavior is incorrect, as a non-matching `Host` entry should not
affect the processing of subsequent directives in the configuration
file.

Steps to Reproduce:

1. Prepare following configuration:

$ cat ~/.ssh/config.d/included.conf
Host included-example
    HostName 127.0.0.1
    User testuser

$ cat ~/.ssh/config
# This block breaks the subsequent Include
Host example
    HostName 127.0.0.1
    User admin
    Port 2222

Include ~/.ssh/config.d/*.conf


2. Attempt to connect using the alias from the included file. This will
fail.

$ ssh -vvv included-example

3. Now, edit ~/.ssh/config and move the Include directive to the top of
the file:

$ cat ~/.ssh/config
Include ~/.ssh/config.d/*.conf

Host example
    HostName 127.0.0.1
    User admin
    Port 2222

4. Attempt to connect again. This will succeed. At least the client
will try to connect to 127.0.0.1
$ ssh -vvv included-example


Expected Results:

The SSH client should successfully parse the entire configuration
regardless of the order of non-conflicting blocks. The connection
attempt in Step 2 should succeed, just as it does in Step 4. A
non-matching Host block should not prevent later directives from being
parsed and applied.


Actual Results:

The connection attempt in Step 4 fails with the error: ssh: `Could not
resolve hostname included-example.com: Name or service not known.` 

The parser seems to stop or fail to correctly process the `Include`
directive if it encounters any `Host` block before it.


Workaround:

Placing the `Include` directive(s) as the very first line in
~/.ssh/config allows the configuration to be parsed correctly.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list