openssh bugs - Sep 2019 - [Bug 3072] New: Some options ignored in Host specifications in ssh_config

https://bugzilla.mindrot.org/show_bug.cgi?id=3072

            Bug ID: 3072
           Summary: Some options ignored in Host specifications in
                    ssh_config
           Product: Portable OpenSSH
           Version: 8.0p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jaak+mindrot at ristioja.ee

Given ssh_config files like:

  MACs hmac-sha1
  Host somehost
    MACs +hmac-md5

The MACs +hmac-md5 line is ignored when using "ssh somehost".
"ssh -o
MACs=hmac-md5 somehost" seems to work just fine.

The source code at readconf.c seems to contain:

   case oMacs:
        arg = strdelim(&s);
        if (!arg || *arg == '\0')  
            fatal("%.200s line %d: Missing argument.", filename,
linenum);
        if (*arg != '-' && !mac_valid(*arg == '+' ? arg
+ 1 : arg))
            fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
                filename, linenum, arg ? arg : "<NONE>");
        if (*activep && options->macs == NULL)
            options->macs = xstrdup(arg);
        break;

Which seems to mean that if options->macs is already set, the MACs line
under "Host somehost" is ignored. Looking at the source code a number
of other options seem to be ignored similarly as well.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3072

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
Yes that's how it works.  Quoting the first paragraph of ssh_config(5):

  For each parameter, the first obtained value will be used.  The
  configuration files contain sections separated by Host
specifications,
  and that section is only applied for hosts that match one of the
  patterns given in the specification.

In the context of MACs (and a few other things like Ciphers), "+thing"
is a value that means "append this to the default list", and it was
added so that there was a way to enable things line hmac-md5 where a
host required it in a way that wouldn't disable future better options.

You can set defaults by putting them at the end of the file after "Host
*":

  Host somehost
    MACs +hmac-md5
  Host *
    MACs hmac-sha1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3072

Jaak Ristioja <jaak+mindrot at ristioja.ee> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
            Summary|Some options ignored in     |Some options silently
                   |Host specifications in      |ignored in Host
                   |ssh_config                  |specifications in
                   |                            |ssh_config
             Status|NEW                         |RESOLVED

--- Comment #2 from Jaak Ristioja <jaak+mindrot at ristioja.ee> ---
Thank you! Your suggestion seems to work. :)

It seems that I missed what the ssh_config man page says in the
beginning:

     For each parameter, the first obtained value will be used. /.../

     Since the first obtained value for each parameter is used, more
host-specific declarations should be given near the beginning of the
file, and general defaults at the end.

General defaults at the end of the file was not intuitive for me. I
wish there was a warning when the options are ignored, but given the
configuration file format it seems there is no good way to implement
such so that the change wouldn't bother anyone.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3072

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.