openssh bugs - Sep 2017 - [Bug 2774] New: Add a InheritConfig option for host stanzas

https://bugzilla.mindrot.org/show_bug.cgi?id=2774

            Bug ID: 2774
           Summary: Add a InheritConfig option for host stanzas
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: security
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: imoverclocked at gmail.com

Today, ssh_config allows a user to bring in different configuration
snippets and selectively override settings per Host configuration
sections. Sometimes, a user will have several different sources of
configuration suggestions which, when poorly suggested, can lead to
unwanted behavior.

Example Suggestion 1:

Place the following snippet in your ~/.ssh/config file:

---
Host *.foo.example.com
  ForwardAgent no
---

Example (poor) Suggestion 2:

Place the following snippet at the top of your ~/.ssh/config file:

---
ForwardAgent yes
---

Now the user has unwittingly fixed one problem by breaking a perviously
good security decision for a class of nodes.

It would be nice if Suggestion 1 could be re-written to ensure that
*.foo.example.com will never have ForwardAgent yes:

---
Host *.foo.example.com
  InheritConfig no
  ForwardAgent no
---

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2774

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Something like this would be nice but it's infeasible with the current
configuration parser. If we ever move to a parser that captures a
syntax tree of the configuration rather than the current immediate-mode
implementation then we would definitely consider this.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2774

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.