Thank you for your help and suggestions! Looks like there was a
problem in 8.2 but it is gone in 8.9. So this impacts Ubuntu 20.04
LTS. I can explore further if anyone has questions
I did a two file test case:
ubuntu at sugar:/tmp$ cat top.conf
Include /tmp/included.conf
ubuntu at sugar:/tmp$ cat included.conf
ForceCommand forall
Match user foouser
Banner /etc/motd
# WRONG results on 8.2
ubuntu at sugar:/tmp$ sudo /usr/sbin/sshd -f top.conf -T -Cuser=foouser |
grep -e force -e banner
banner none
forcecommand forall
ubuntu at sugar:/tmp$ sudo /usr/sbin/sshd -f included.conf -T
-Cuser=foouser | grep -e force -e banner
banner /etc/motd
forcecommand forall
# RIGHT results in OpenSSH_8.9p1
ubuntu at sugar:/tmp$ sudo ~/openssh-portable/sshd -f top.conf -h
/etc/ssh/ssh_host_ed25519_key -T -Cuser=foouser | grep -e force -e
banner
banner /etc/motd
forcecommand forall
ubuntu at rsugar:/tmp$ sudo ~/openssh-portable/sshd -f included.conf -h
/etc/ssh/ssh_host_ed25519_key -T -Cuser=foouser | grep -e force -e
banner
banner /etc/motd
forcecommand forall
On Fri, 4 Mar 2022 at 19:13, Damien Miller <djm at mindrot.org>
wrote:>
> On Fri, 4 Mar 2022, M Rubon wrote:
>
> > I have a customized sshd_config file which I had previously just
> > copied into /etc/ssh on an Ubuntu server. On a new machine I thought
> > I might try being better behaved and instead copied my config in
> > sshd_config.d/sshd_config.conf
> >
> > So it kind of works. The non-conditional config is correctly used
> > when I restart sshd. But config within a "Match User" seems
be parsed
> > and then silently ignored
> >
> > Match User foouser
> > Banner /tmp/specialtestbanner # this banner file is weirdly NOT
output
> > # When uncommented this garbage line generates an error, so is
being parsed
> >
> > Everything works perfectly if I copy my sshd_config.d/sshd_config.conf
> > over top of /etc/ssh/sshd_config (so no include is being done).
> >
> > Testing done on OpenSSH_8.2p1. I don't see any man page caveats
about
> > nesting Match within Include. I can try reproducing on a modern
> > openSsh next week if that is useful to anyone.
>
> I'm not aware of any bugs in 8.2 that would cause this, but a
reproduction
> with the current version would help. Also a full debug log from a server
> accepting a connection that matches the criteria.
>
> You can also use the -T/-C flags to test evaluation of the config, e.g.
>
> $ cat > /tmp/conf << _EOF
> Match user foouser
> Banner /etc/motd
> _EOF
> $ sudo /usr/sbin/sshd -f /tmp/c -T | grep banner
> banner none
> $ sudo /usr/sbin/sshd -f /tmp/c -T -Cuser=foouser | grep banner
> banner /etc/motd
>
> You can also turn up the debugging in the config test mode to see what is
> happening by adding '-ddd' to the flags.
>
> Hope this helps
>
> -d