odd config behaviour

M Rubon rubonmtz at gmail.com
Sun Mar 6 04:20:16 AEDT 2022 

Thank you for your help and suggestions!  Looks like there was a
problem in 8.2 but it is gone in 8.9.  So this impacts Ubuntu 20.04
LTS.  I can explore further if anyone has questions

I did a two file test case:

ubuntu at sugar:/tmp$ cat top.conf

     Include /tmp/included.conf

ubuntu at sugar:/tmp$ cat included.conf

     ForceCommand forall
     Match user foouser
            Banner /etc/motd


   # WRONG results on 8.2
ubuntu at sugar:/tmp$ sudo /usr/sbin/sshd -f top.conf -T -Cuser=foouser |
grep -e force -e banner
banner none
forcecommand forall
ubuntu at sugar:/tmp$ sudo /usr/sbin/sshd -f included.conf -T
-Cuser=foouser | grep -e force -e banner
banner /etc/motd
forcecommand forall


   # RIGHT results in OpenSSH_8.9p1
ubuntu at sugar:/tmp$ sudo ~/openssh-portable/sshd -f top.conf -h
/etc/ssh/ssh_host_ed25519_key -T -Cuser=foouser | grep -e force -e
banner
banner /etc/motd
forcecommand forall
ubuntu at rsugar:/tmp$ sudo ~/openssh-portable/sshd -f included.conf -h
/etc/ssh/ssh_host_ed25519_key -T -Cuser=foouser | grep -e force -e
banner
banner /etc/motd
forcecommand forall



On Fri, 4 Mar 2022 at 19:13, Damien Miller <djm at mindrot.org> wrote:
>
> On Fri, 4 Mar 2022, M Rubon wrote:
>
> > I have a customized sshd_config file which I had previously just
> > copied into /etc/ssh on an Ubuntu server.  On a new machine I thought
> > I might try being better behaved and instead copied my config in
> > sshd_config.d/sshd_config.conf
> >
> > So it kind of works.  The non-conditional config is correctly used
> > when I restart sshd.  But config within a "Match User" seems be parsed
> > and then silently ignored
> >
> > Match User foouser
> >    Banner /tmp/specialtestbanner     # this banner file is weirdly NOT output
> >    # When uncommented this garbage line generates an error, so is being parsed
> >
> > Everything works perfectly if I copy my sshd_config.d/sshd_config.conf
> > over top of /etc/ssh/sshd_config (so no include is being done).
> >
> > Testing done on OpenSSH_8.2p1.  I don't see any man page caveats about
> > nesting Match within Include.  I can try reproducing on a modern
> > openSsh next week if that is useful to anyone.
>
> I'm not aware of any bugs in 8.2 that would cause this, but a reproduction
> with the current version would help. Also a full debug log from a server
> accepting a connection that matches the criteria.
>
> You can also use the -T/-C flags to test evaluation of the config, e.g.
>
> $ cat > /tmp/conf << _EOF
> Match user foouser
>         Banner /etc/motd
> _EOF
> $ sudo /usr/sbin/sshd -f /tmp/c -T | grep banner
> banner none
> $ sudo /usr/sbin/sshd -f /tmp/c -T -Cuser=foouser | grep banner
> banner /etc/motd
>
> You can also turn up the debugging in the config test mode to see what is
> happening by adding '-ddd' to the flags.
>
> Hope this helps
>
> -d

More information about the openssh-unix-dev mailing list