On Do, 2021-06-17 at 20:28 +0300, Andrei Borzenkov wrote:
On 17.06.2021 07:50, Andrei Borzenkov wrote:
On 16.06.2021 13:05, Michael Ströder wrote:
Conditional Include in a Match section is not an issue if done right.
But as described in sshd_config(5) a Match section is terminated by EOF or another Match section. AFAICS this means that all Match sections have to be included at the *end* of the config file *after* all global config directives.
But /usr/etc/ssh/sshd_config now contains at the *beginning*:
Include /etc/ssh/sshd_config.d/*.conf
The unconditional globbing is my concern: AFAICS if somebody puts a Match section in
/etc/ssh/sshd_config.d/match-section.conf
this would mask all other *global* config directives in /usr/etc/ssh/sshd_config and all other config files included after match-section.conf.
I cannot make Match section to work in #include'ed file at all.
And judging by this comment this is intentional
/* * don't let Match in includes clobber the * containing file's Match state. */
Which means it is not possible to replace ssh configuration file with include directory at all.
More precisely: it can't be done the way we currently shipped sshd_config file attempts to do it. If "Match" sections are used, the correct approach would be Include /etc/ssh/sshd_config.d/*.conf # other defaults Match somehost Include /etc/ssh/ssd_config.d/somehost/*.conf But this obviously requires a change to sshd_config itself. So anyone using matches would need to create and maintain /etc/ssh/sshd_config, which is what we wanted to avoid in the first place. Regards Martin