Package: openssh-server X-Debbugs-Cc: d...@fifthhorseman.net Version: 1:8.7p1-2 Severity: normal
The shipped /etc/ssh/sshd_config in debian now starts with the following directive: Include /etc/ssh/sshd_config.d/*.conf However, it then *also* has these directives: PasswordAuthentication no ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server If an admin puts a Match block (or several Match blocks) inside one of the /etc/ssh/sshd_config.d/*.conf files, it's not clear how that match block will interact with these updated bits of configuration. For example, if /etc/ssh/sshd_config.d/constrainedusers.conf contains: ---- Match Group constrainedusers ForceCommand restricted-shell AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no ---- Then it looks like all the rest of the directives in /etc/ssh/sshd_config will only apply to this Matched group, rather than to the server as a whole. This makes it awkward to drop Match block directives in the config dir. I haven't tested this enough to know what the right fix is, because there doesn't seem to be a clear way to get out of a Match block. Perhaps a "Match All" immediately after the Include directive? (also, since it's first-defined-directive wins, it'd be nice to have some handily-available documentation (maybe in the comment above the Include directive?) about the expected sort order of globbed include directives like this. looking in the source, it looks like it's going to be dependent on the implementation of the glob(3) call from the standard library (or from the openbsd-compat/glob.h wrapper), both of which have a GLOB_NOSORT flag, which isn't set by the invocation in servconf.c. But it's not clear to me what sort order glob() uses -- is it locale-dependent, for example?) Sorry to raise more questions than answers here. thanks for the great work maintaining openssh in debian! --dkg
signature.asc
Description: PGP signature