Mailing List Archive

odd config behaviour
I have a customized sshd_config file which I had previously just
copied into /etc/ssh on an Ubuntu server. On a new machine I thought
I might try being better behaved and instead copied my config in
sshd_config.d/sshd_config.conf

So it kind of works. The non-conditional config is correctly used
when I restart sshd. But config within a "Match User" seems be parsed
and then silently ignored

Match User foouser
Banner /tmp/specialtestbanner # this banner file is weirdly NOT output
# When uncommented this garbage line generates an error, so is being parsed

Everything works perfectly if I copy my sshd_config.d/sshd_config.conf
over top of /etc/ssh/sshd_config (so no include is being done).

Testing done on OpenSSH_8.2p1. I don't see any man page caveats about
nesting Match within Include. I can try reproducing on a modern
openSsh next week if that is useful to anyone.

Mike
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: odd config behaviour [ In reply to ]
On Fri, 4 Mar 2022, M Rubon wrote:

> I have a customized sshd_config file which I had previously just
> copied into /etc/ssh on an Ubuntu server. On a new machine I thought
> I might try being better behaved and instead copied my config in
> sshd_config.d/sshd_config.conf
>
> So it kind of works. The non-conditional config is correctly used
> when I restart sshd. But config within a "Match User" seems be parsed
> and then silently ignored
>
> Match User foouser
> Banner /tmp/specialtestbanner # this banner file is weirdly NOT output
> # When uncommented this garbage line generates an error, so is being parsed
>
> Everything works perfectly if I copy my sshd_config.d/sshd_config.conf
> over top of /etc/ssh/sshd_config (so no include is being done).
>
> Testing done on OpenSSH_8.2p1. I don't see any man page caveats about
> nesting Match within Include. I can try reproducing on a modern
> openSsh next week if that is useful to anyone.

I'm not aware of any bugs in 8.2 that would cause this, but a reproduction
with the current version would help. Also a full debug log from a server
accepting a connection that matches the criteria.

You can also use the -T/-C flags to test evaluation of the config, e.g.

$ cat > /tmp/conf << _EOF
Match user foouser
Banner /etc/motd
_EOF
$ sudo /usr/sbin/sshd -f /tmp/c -T | grep banner
banner none
$ sudo /usr/sbin/sshd -f /tmp/c -T -Cuser=foouser | grep banner
banner /etc/motd

You can also turn up the debugging in the config test mode to see what is
happening by adding '-ddd' to the flags.

Hope this helps

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: odd config behaviour [ In reply to ]
One thing that could be clarified in sshd_config(5):

> the keywords on the following lines override those
> set in the global section of the config file, until either another
> .Cm Match
> line or the end of the file.

If you have a Match block inside an Included file, does "end of the
file" mean the end of that included file, or the end of the top-level
config file?

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: odd config behaviour [ In reply to ]
On Sat, 5 Mar 2022, Brian Candler wrote:

> One thing that could be clarified in sshd_config(5):
>
> > the keywords on the following lines override those
> > set in the global section of the config file, until either another
> > .Cm Match
> > line or the end of the file.
>
> If you have a Match block inside an Included file, does "end of the file" mean
> the end of that included file, or the end of the top-level config file?

Match in an Include should terminate at the end of the file and not
affect the one that included it. IIRC there have been some bugs in that
ares.

Maybe something like this?

diff --git a/sshd_config.5 b/sshd_config.5
index 48e9893..b3ea696 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -834,6 +834,11 @@ directive may appear inside a
.Cm Match
block
to perform conditional inclusion.
+.Cm Match
+blocks inside a file
+included via
+.Cm Include
+are terminated at the end of the included file.
.It Cm IPQoS
Specifies the IPv4 type-of-service or DSCP class for the connection.
Accepted values are

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: odd config behaviour [ In reply to ]
On 05/03/2022 12:02, Damien Miller wrote:
> Maybe something like this?
>
> diff --git a/sshd_config.5 b/sshd_config.5
> index 48e9893..b3ea696 100644
> --- a/sshd_config.5
> +++ b/sshd_config.5
> @@ -834,6 +834,11 @@ directive may appear inside a
> .Cm Match
> block
> to perform conditional inclusion.
> +.Cm Match
> +blocks inside a file
> +included via
> +.Cm Include
> +are terminated at the end of the included file.

That's very clear, thank you.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: odd config behaviour [ In reply to ]
Thank you for your help and suggestions! Looks like there was a
problem in 8.2 but it is gone in 8.9. So this impacts Ubuntu 20.04
LTS. I can explore further if anyone has questions

I did a two file test case:

ubuntu@sugar:/tmp$ cat top.conf

Include /tmp/included.conf

ubuntu@sugar:/tmp$ cat included.conf

ForceCommand forall
Match user foouser
Banner /etc/motd


# WRONG results on 8.2
ubuntu@sugar:/tmp$ sudo /usr/sbin/sshd -f top.conf -T -Cuser=foouser |
grep -e force -e banner
banner none
forcecommand forall
ubuntu@sugar:/tmp$ sudo /usr/sbin/sshd -f included.conf -T
-Cuser=foouser | grep -e force -e banner
banner /etc/motd
forcecommand forall


# RIGHT results in OpenSSH_8.9p1
ubuntu@sugar:/tmp$ sudo ~/openssh-portable/sshd -f top.conf -h
/etc/ssh/ssh_host_ed25519_key -T -Cuser=foouser | grep -e force -e
banner
banner /etc/motd
forcecommand forall
ubuntu@rsugar:/tmp$ sudo ~/openssh-portable/sshd -f included.conf -h
/etc/ssh/ssh_host_ed25519_key -T -Cuser=foouser | grep -e force -e
banner
banner /etc/motd
forcecommand forall



On Fri, 4 Mar 2022 at 19:13, Damien Miller <djm@mindrot.org> wrote:
>
> On Fri, 4 Mar 2022, M Rubon wrote:
>
> > I have a customized sshd_config file which I had previously just
> > copied into /etc/ssh on an Ubuntu server. On a new machine I thought
> > I might try being better behaved and instead copied my config in
> > sshd_config.d/sshd_config.conf
> >
> > So it kind of works. The non-conditional config is correctly used
> > when I restart sshd. But config within a "Match User" seems be parsed
> > and then silently ignored
> >
> > Match User foouser
> > Banner /tmp/specialtestbanner # this banner file is weirdly NOT output
> > # When uncommented this garbage line generates an error, so is being parsed
> >
> > Everything works perfectly if I copy my sshd_config.d/sshd_config.conf
> > over top of /etc/ssh/sshd_config (so no include is being done).
> >
> > Testing done on OpenSSH_8.2p1. I don't see any man page caveats about
> > nesting Match within Include. I can try reproducing on a modern
> > openSsh next week if that is useful to anyone.
>
> I'm not aware of any bugs in 8.2 that would cause this, but a reproduction
> with the current version would help. Also a full debug log from a server
> accepting a connection that matches the criteria.
>
> You can also use the -T/-C flags to test evaluation of the config, e.g.
>
> $ cat > /tmp/conf << _EOF
> Match user foouser
> Banner /etc/motd
> _EOF
> $ sudo /usr/sbin/sshd -f /tmp/c -T | grep banner
> banner none
> $ sudo /usr/sbin/sshd -f /tmp/c -T -Cuser=foouser | grep banner
> banner /etc/motd
>
> You can also turn up the debugging in the config test mode to see what is
> happening by adding '-ddd' to the flags.
>
> Hope this helps
>
> -d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: odd config behaviour [ In reply to ]
On 05/03/2022 17:20, M Rubon wrote:
> Thank you for your help and suggestions! Looks like there was a
> problem in 8.2 but it is gone in 8.9. So this impacts Ubuntu 20.04
> LTS. I can explore further if anyone has questions

I did a similar test, also on Ubuntu 20.04 with openssh-server
1:8.2p1-4ubuntu0.4

My main sshd_config has the following:

# egrep -v '^(#|$)' /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem    sftp    /usr/lib/openssh/sftp-server

As expected, password authentication is not offered.

(1) if I create /etc/ssh/sshd_config.d/brian.conf with

Match user brian
PasswordAuthentication yes

then this has no effect - attempting to login as 'brian' only offers
publickey.

(2) But if I add those two lines directly to the bottom of
/etc/ssh/sshd_config, then they *do* take effect.

(3) If I put those lines in /root/brian.conf and add

Include /root/*.conf

to the *end* of sshd_config, then has no effect - same as (1).

Regards,

Brian.


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: odd config behaviour [ In reply to ]
On Sun, 6 Mar 2022, Brian Candler wrote:

> On 05/03/2022 17:20, M Rubon wrote:
> > Thank you for your help and suggestions! Looks like there was a
> > problem in 8.2 but it is gone in 8.9. So this impacts Ubuntu 20.04
> > LTS. I can explore further if anyone has questions
>
> I did a similar test, also on Ubuntu 20.04 with openssh-server
> 1:8.2p1-4ubuntu0.4
>
> My main sshd_config has the following:
>
> # egrep -v '^(#|$)' /etc/ssh/sshd_config
> Include /etc/ssh/sshd_config.d/*.conf

I think this was fixed in this commit:
https://github.com/openssh/openssh-portable/commit/7af1e92cd289
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev