openssh bugs - Jun 2017 - [Bug 2731] New: .ssh/config: Host * overrides included files

https://bugzilla.mindrot.org/show_bug.cgi?id=2731

            Bug ID: 2731
           Summary: .ssh/config: Host * overrides included files
           Product: Portable OpenSSH
           Version: 7.5p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mindrot at ashka.me

Hi,

When a file is included, and that .ssh/config contains a "Host *"
section, properties (like User) that should be overriden in included
files are not.


Reproduction steps:
- Create the following .ssh/config:
Host a
    Hostname a.b.c
    User userA

Host *
    User userB

- `ssh a' should log in to userA at a.b.c, `ssh b.c.d' should log in to
userB at b.c.d'

- Move the `a' host into an included file to have the following
.ssh/config:
Host *
    User userB

Include ~/.ssh/a_host

- `ssh a' will try to log in to userB at a.b.c instead of userA at a.b.c.

Expected result:
  `ssh a' should log in to userA at a.b.c anyway since there is an User
line in its Host definition and that that works when not included.


I have read online that the "Host *" should be at the end of the file,
which works fine in the first example, however in the example with the
Include, doing that "deletes" the included Hosts; having Include then
User would make `ssh a' not work (unresolved hostname), as if there was
no entry.

ssh -V: OpenSSH_7.5p1, OpenSSL 1.1.0f  25 May 2017

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2731

mindrot at ashka.me changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mindrot at ashka.me

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2731

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I think the problem is that your configuration now is effectively:
> Host *
>  User userB
>  Include ~/.ssh/a_host
I.e. you're conditionally including the a_host file after you set
userB.

If you change the order to
> Include ~/.ssh/a_host
> 
> Host *
>  User userB
Then you should get the behaviour that you desire.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2731

--- Comment #2 from mindrot at ashka.me ---
(In reply to Damien Miller from comment #1)
> If you change the order to
> 
> > Include ~/.ssh/a_host
> > 
> > Host *
> >  User userB
> 
> Then you should get the behaviour that you desire.
Unfortunately that makes host `a' "disappear", `ssh a' will
not work
anymore, which is what I meant in the end of my post.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2731

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
(In reply to mindrot from comment #2)
> Unfortunately that makes host `a' "disappear", `ssh a'
will not work
> anymore, which is what I meant in the end of my post.
You'll need to include a debug trace ("ssh -vvv user at a") to
figure out
what's going on here.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2731

--- Comment #4 from mindrot at ashka.me ---
Created attachment 3000
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3000&action=edit
ssh -vvv a, on 7.5p1

(In reply to Damien Miller from comment #3)
> You'll need to include a debug trace ("ssh -vvv user at a")
to figure
> out what's going on here.
Sorry, I should have included it from the get go. I attached the output
of `ssh -vvv a' for both Host * then Include and Include then Host *.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2731

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
I can't reproduce that behaviour. With ~/.ssh/config containing:

-----------

Include ~/.ssh/config_a

Host *
        User bar

-----------

... and ~/.ssh/config_a containing:

-----------

Host a
        Hostname 192.168.0.1
        User foo

-----------

I get the following log messages:
> OpenSSH_7.5, LibreSSL 2.6.0
> debug1: Reading configuration data /home/djm/.ssh/config
> debug3: /home/djm/.ssh/config line 1: Including file
/home/djm/.ssh/config_a depth 0
> debug1: Reading configuration data /home/djm/.ssh/config_a
> debug1: /home/djm/.ssh/config_a line 1: Applying options for a
> debug1: /home/djm/.ssh/config line 3: Applying options for *
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: resolving "192.168.0.1" port 22
This differs from your trace:
> Include then Host *:
> $ ssh -vvv a
> OpenSSH_7.5p1, OpenSSL 1.1.0f  25 May 2017
> debug1: Reading configuration data /home/ashka/.ssh/config
> debug3: /home/ashka/.ssh/config line 64: Including file
/home/ashka/.ssh/a_host depth 0 (parse only)
You aren't showing your full ~/.ssh/config file, but I can see that
there are 64 lines of other stuff before it actually gets to the
Include directive.

I bet one of those is another Host or Match line, and the Include is
being made conditional on it. That's what the "(parse only)" means
-
that the file is being read and checked for syntax, but its contents
are ignored because it's in a Match/Host statement that didn't match.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2731

mindrot at ashka.me changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #6 from mindrot at ashka.me ---
(In reply to Damien Miller from comment #5)
> I can't reproduce that behaviour. [...] You aren't showing your
full ~/.ssh/config file, but I can see that there are 64 lines of other stuff
before it actually gets to the Include directive.
Indeed, I thought that other hosts in the same file before the Include
did not affect it, but I had no idea Include was conditional (aka.
ignored after a Host block if the Host does not match). Sorry for the
waste of time.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2731

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after release of OpenSSH 7.7.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.