openssh bugs - Jun 2009 - [Bug 1613] New: Add the ability to store configuration in various configuration files like in a conf-sub-dir

https://bugzilla.mindrot.org/show_bug.cgi?id=1613

           Summary: Add the ability to store configuration in various
                    configuration files like in a conf-sub-dir
           Product: Portable OpenSSH
           Version: 5.2p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: roland.wolters at credativ.de


Currently configuration for the ssh client program is stored in
/etc/ssh/ssh_config or in ~/.ssh/config.
The latter one however can grow rather large if you have a lot of
servers to manage. For the sake of manageability and clarity it makes
sense to store configurations for example for different clusters in
different config files. This is in a way comparable with most system
services which have their own /etc/$SERVICENAME/conf.d/ directories
where you can drop various configuration files.

The ssh-client configuration is not capable of such a behaviour. You
can store the config in the single configuration file only. There is no
way of including further files or a directory with more configuration
files.

A workaround is to create files like
~/.ssh/config.d/cluster1.conf
~/.ssh/config.d/cluster2.conf
~/.ssh/config.d/cluster3.conf
and merge them at every change via
cat ~/.ssh/config.d/*.conf > ~/.ssh/config
This is however sub-optimal since you might forget changes you made in
config, or might forget to merge at all.

The best would be to add an "include" function to ssh to auto-search
for configuration in the file ~/.ssh/config as well as for files of the
type ~/.ssh/config.d/*.conf. That would make the management of
configurations much easier.

Security:
Adding additional config files means adding further points where the
client can be mis-configured.
However, if the merge is implemented correctly there should be no
difference for ssh-client between several conf files or one single
file. Also, several distributed files can be managed and reviewed much
easier, so the security might even be improved.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1613

Jan Vansteenkiste <jan at vstone.eu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jan at vstone.eu

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.