Package: openssh-server
X-Debbugs-Cc: dkg@fifthhorseman.net
Version: 1:8.7p1-2
Severity: normal
The shipped /etc/ssh/sshd_config in debian now starts with the
following directive:
Include /etc/ssh/sshd_config.d/*.conf
However, it then *also* has these directives:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
If an admin puts a Match block (or several Match blocks) inside one of
the /etc/ssh/sshd_config.d/*.conf files, it's not clear how that match
block will interact with these updated bits of configuration.
For example, if /etc/ssh/sshd_config.d/constrainedusers.conf contains:
----
Match Group constrainedusers
ForceCommand restricted-shell
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
----
Then it looks like all the rest of the directives in
/etc/ssh/sshd_config will only apply to this Matched group, rather
than to the server as a whole.
This makes it awkward to drop Match block directives in the config
dir.
I haven't tested this enough to know what the right fix is, because
there doesn't seem to be a clear way to get out of a Match block.
Perhaps a "Match All" immediately after the Include directive?
(also, since it's first-defined-directive wins, it'd be nice to have
some handily-available documentation (maybe in the comment above the
Include directive?) about the expected sort order of globbed include
directives like this. looking in the source, it looks like it's going
to be dependent on the implementation of the glob(3) call from the
standard library (or from the openbsd-compat/glob.h wrapper), both of
which have a GLOB_NOSORT flag, which isn't set by the invocation in
servconf.c. But it's not clear to me what sort order glob() uses --
is it locale-dependent, for example?)
Sorry to raise more questions than answers here. thanks for the great
work maintaining openssh in debian!
--dkg
Attachment:
signature.asc
Description: PGP signature