openssh bugs - May 2007 - [Bug 1285] provide fallback options /etc/ssh/ssh_config

http://bugzilla.mindrot.org/show_bug.cgi?id=1285


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|no way to override SendEnv  |provide fallback options
                   |directive in                |/etc/ssh/ssh_config
                   |/etc/ssh/ssh_config         |
            Version|4.2p1                       |-current
         OS/Version|Linux                       |All
           Severity|normal                      |enhancement
                 CC|                            |djm at mindrot.org




--- Comment #1 from Damien Miller <djm at mindrot.org>  2007-05-18
09:35:10 ---
The client configuration parsing always uses the first matching option
so there are no overrides for things set in the global config. This is
intentional: as a matter of policy, the master configuration file
should be able to set options that can't be overridden.

Perhaps there should be some way for it to provide default options when
none are set in any per-user file too. I'll change this bug to an
enhancement request for this (I'm not convinced of the merits of this
idea, but it should be tracked).


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

http://bugzilla.mindrot.org/show_bug.cgi?id=1285





--- Comment #2 from Joe Wells <sllewbj at blueyonder.co.uk>  2007-05-18
14:01:00 ---
(In reply to comment #1)
> The client configuration parsing always uses the first matching option
> so there are no overrides for things set in the global config. This is
> intentional: as a matter of policy, the master configuration file
> should be able to set options that can't be overridden.
Some quick investigation reveals that the statement above is
contradicted by the documentation for ssh_config, which says:

     ssh obtains configuration data from the following sources in the
following order:
           1.   command-line options
           2.   user's configuration file (~/.ssh/config)
           3.   system-wide configuration file (/etc/ssh/ssh_config)

Notice that the per-user file is consulted _before_ the systemwide
file.

I had not noticed this before.
> Perhaps there should be some way for it to provide default options when
> none are set in any per-user file too. I'll change this bug to an
> enhancement request for this (I'm not convinced of the merits of this
> idea, but it should be tracked).
There is no need to make the systemwide file /etc/ssh/ssh_config
supply defaults.  It turns out that this is already the case.

I now realize that the problem reported in this bug has _only_ to do
with directives where multiple uses of a directive are allowed.  The
problem happens for me because multiple SendEnv directives are used,
and their effect accumulates.  Other directives that allow multiple
uses with accumulating effects are LocalForward, DynamicForward,
IdentityFile, and RemoteForward.

My earlier proposed solution therefore would not work, because
removing items from the SendEnv settings at the time the per-user file
~/.ssh/config is read would not prevent the additional SendEnv
directive in the systemwide file /etc/ssh/ssh_config from modifying
things.

I don't know what to propose, but I think there is still a flaw.

I suggest the bug title be changed to something like this:

  flaw with multiple accumulating config directives in
/etc/ssh/ssh_config 


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.