Include for sshd_config

Nico Kadel-Garcia nkadel at
Thu Apr 20 21:56:48 AEST 2017

On Wed, Apr 19, 2017 at 1:02 PM, navern <livingdeadzerg at> wrote:
> On 10.04.2017 23:02, navern wrote:
>> On 07.04.2017 15:05, Jakub Jelen wrote:
>>> On 04/07/2017 11:54 AM, navern wrote:
>>>> Hello,
>>>> Afaik there was added Include feature for ssh_config. I want to add this
>>>> option to sshd_config as well. I think about local patch(i am not sure
>>>> this will be required for upstream).
>>>> Code for Include option in readconf.c doesn't look very specific. Is
>>>> there some reason why this wasn't introduced for sshd_config as well?
>>>> Maybe someone already have patch for this feature? It would be great
>>>> because i am pretty awful C programmer.
>>> This is already implemented in the following bugzilla:
>>> The code gets little bit more complicated because of requirement to
>>> re-read the configuration for every incoming connection. Giving a test and
>>> comments would be very appreciated.
>>> Regards,
>> Hello,
>> I've fixed this patch a little to apply it to version 7.4p1. I will test
>> it in following week and let you know about results. Thanks for the patch.
> Hi,
> I've been testing this for about a week on 150 servers and everything
> running fine. I hadn't seen any bugs. Thanks!

What is the performance penalty for incoming connectons? Have you any
sense of this?

I'm slightly leery of this approach. I've encountered numerous systems
that sought to split out subconfigurations sensibly, such as
/etc/cron.d for cron jobs, /et/sudoers.d for sudo access, and
individual zone files for DNS configurations. Some of them have worked
very well, but some of them which parse all files for all connections
have been vulnerable to a single typo in a single included file
destroying the *whole* system. If you do that to the SSH which is used
for remote system management, well, you can suddenly be up a nasty
creek without a paddle unless you're as paranoid as I've sometimes
been and run a second daemon with a separate set of config files with
very restrictive access for emergencies. It can be exacerbated if you
have a system configuration tool, such as ansible or puppet or chef,
which can modify your OpenSSH config without you're being connected on
a live SSH session which is still active and might be used for salvage
if you screw up a file.

Is there any available tool with this for pre-evaluating the resulting
sshd_config for fatal errors? I'm not demanding: I'm thinking "that
could be really, really useful".

More information about the openssh-unix-dev mailing list