openssh bugs - Jan 2025 - [Bug 3782] New: Existing configs broken by baec3f7f4c60cd5aa1bb9adbeb6dfa4a172502a8

https://bugzilla.mindrot.org/show_bug.cgi?id=3782

            Bug ID: 3782
           Summary: Existing configs broken by
                    baec3f7f4c60cd5aa1bb9adbeb6dfa4a172502a8
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: 68k
                OS: Mac OS X
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jmcrawford45 at gmail.com

With the recent change to the parser for match directives, some complex
configs that were working with previous releases no longer work. Here's
a simplified example Match demonstrating a couple of the
non-backwards-compatible changes:

```
Match Host %* exec "bash -c 'test -z $INSTANCE_SSH_DISABLED &&
cmd=$(instance-lookup --port %p -f  '\''instance-ssh --user %r --asg
'\'\\\'\''{{.Group}}'\'\\\'\''
'\'' %h) && eval $cmd'"
```

This no longer parses in 9.9p1 due to a lack of $ escaping and due to
an inconsistency on what types of quote escapes are allowed in both
versions. I spent a bit of time trying to get to a syntax that was both
forwards and backwards compatible, but I finally just gave up and
stuffed the command into a separate file so the Match simplifies to
e.g.

Match Host %* exec "bash ~/.ssh/instance-ssh.sh %p %r %h"

I don't know if there's a good forward fix for this as the parsers seem
to differ pretty significantly, but I just wanted to call it out as a
breaking change and give the separate script file approach as a
workaround for settings that have to support configs for older versions
as well.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3782

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org
         Resolution|---                         |WONTFIX

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Yes, unfortunately this incompatibility is an unavoidable price of
better quoting semantics.

The incompatibility and the same workaround you arrived at were
mentioned in the openssh-9.9 release notes:
> * ssh(1), sshd(8): processing of the arguments to the "Match"
>   configuration directive now follows more shell-like rules for
>   quoted strings, including allowing nested quotes and \-escaped
>   characters. If configurations contained workarounds for the
>   previous simplistic quote handling then they may need to be
>   adjusted. If this is the case, it's most likely to be in the
>   arguments to a "Match exec" confition. In this case, moving the
>   command to be evaluated from the Match line to an external shell
>   script is easiest way to preserve compatibility with both the old
>   and new versions.
We don't plan to make further changes to Match argument handling.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.