openssh bugs - Nov 2020 - [Bug 3236] New: multiple Subsystem options in sshd_config prevent sshd from starting

https://bugzilla.mindrot.org/show_bug.cgi?id=3236

            Bug ID: 3236
           Summary: multiple Subsystem options in sshd_config prevent sshd
                    from starting
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

All of the other configuration options are just ignored, if specified
repetitively, but Subystem will prevent sshd from starting. This is
unexpected and undocumented in manual page and something that might
become more common issue with the Include support.

I would like to suggest this option would behave same as all the
others, maybe downgrading the log level of the message.

The other option would be to document it in the manual page that the
same subsystem can not repeat (yet another exception from configuration
parsing rules).

Reproducer:

# echo "Subsystem sftp internal-sftp" >> /etc/ssh/sshd_config
(repeat if it was not there before)
# sshd -T
/etc/ssh/sshd_config line 131: Subsystem 'sftp' already defined.
# echo $?
255

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3236

kerminaawad at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kerminaawad at gmail.com

--- Comment #1 from kerminaawad at gmail.com ---
I just ran into this issue yesterday.

I prefer not to modify the main config so that future updates cannot
overwrite my changes, and so that the main config is always up to date.

So I used the include feature to overwrite "Subsystem sftp", however,
sshd would not start. If I had not found this bug report I would
probably not have found the issue.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3236

MichaIng <micha at dietpi.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |micha at dietpi.com

--- Comment #2 from MichaIng <micha at dietpi.com> ---
I faced the same issue, hence would also like to be able to override an
existing Subsystem setting in /etc/ssh/sshd_config with one in
/etc/ssh/sshd_config.d/.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3236

Stanislav Zidek <szidek at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |szidek at redhat.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3236

dirdi <bugs at dirdi.name> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugs at dirdi.name

--- Comment #3 from dirdi <bugs at dirdi.name> ---
This has also been reported downstream at the Debian bug tracker:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998834

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3236

boum at live.fr changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |boum at live.fr

--- Comment #4 from boum at live.fr ---
I ran into this issue has well and that was kinda frustrating because
it seems this is the only setting that behave like this!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3236

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at dtucker.net
   Attachment #3591|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Created attachment 3591
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3591&action=edit
Make repeated Subsystem directives non-fatal

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3236

Michael Yagliyan <burnsmellfactory at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |burnsmellfactory at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3236

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
This is fixed in OpenSSH 9.5, and you can now also override Subsystems
using Match directives

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.