Mailing List Archive

https://bugzilla.mindrot.org/show_bug.cgi?id=3122

--- Comment #5 from Damien Miller <djm@mindrot.org> ---
Just so I understand what's going on in the patch, is *activep==2
supposed to mean "only allow match/include directives"?

If so, rather than touch every *activep test but those, I think it
might be better to add a new inc_flags value, say SSHCFG_IN_MATCH or
perhaps SSHCFG_MATCH_ONLY drive the logic from that. What do you think?

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3122

--- Comment #6 from Jakub Jelen <jjelen@redhat.com> ---
(In reply to Damien Miller from comment #5)
> Just so I understand what's going on in the patch, is *activep==2
> supposed to mean "only allow match/include directives"?

Only options in match blocks are used. Regardless they are in the main
file or in included file (after first match block). The includes are
processed the same way as in normally, but if directive comes before
any match block, it is ignored.

> If so, rather than touch every *activep test but those, I think it
> might be better to add a new inc_flags value, say SSHCFG_IN_MATCH or
> perhaps SSHCFG_MATCH_ONLY drive the logic from that. What do you
> think?

Sure, if you would be able to plug it somehow together. I was not able
to figure out correct conditions to make the flags working towards this
goal.

The main issue is that I need this flag to be active up to the first
match block, but I do not have simple way to get this information out
of process_server_config_line_depth() function to its caller, which is
the only place I can for sure say "here was a Match block". I can
probably introduce new parameters, modify return values or use global
variables, but I was not satisfied with either direction so far.

But what I put together and which is missing in my patch above is the
regression test:

@@ -150,5 +150,19 @@ ${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \
-C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
fail "sshd allowed Include with no argument"

+# Ensure the Include before any Match block works as expected (bug
#3122)
+cat > $OBJ/sshd_config.i << _EOF
+Banner /xx
+HostKey $OBJ/host.ssh-ed25519
+Include $OBJ/sshd_config.i.2
+_EOF
+cat > $OBJ/sshd_config.i.2 << _EOF
+Match host a
+ Banner /aa
+_EOF
+
+trace "Include before match blocks"
+trial a /aa "included file before match blocks is properly evaluated"
+
# cleanup
rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3122

Jakub Jelen <jjelen@redhat.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #3384|0 |1
is obsolete| |
Attachment #3399| |ok?(djm@mindrot.org)
Flags| |

--- Comment #7 from Jakub Jelen <jjelen@redhat.com> ---
Created attachment 3399
--> https://bugzilla.mindrot.org/attachment.cgi?id=3399&action=edit
proposed patch for this & #3169

With a bit of tweaking it looks like it is finally working as expected.
I changed the flags that they are passed back to the caller so we can
clean this flag after first match block. Also regression tests for this
and #3169 are attached.

Damien, would the proposed change work for you?

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3122

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
Blocks| |3162

--- Comment #8 from Damien Miller <djm@mindrot.org> ---
Thanks - this patch has been applied and will be in OpenSSH 8.4, due in
~3 months.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3162
[Bug 3162] Tracking bug for 8.4 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs