openssh bugs - Jun 2025 - [Bug 3841] New: Configuration parser is broken

https://bugzilla.mindrot.org/show_bug.cgi?id=3841

            Bug ID: 3841
           Summary: Configuration parser is broken
           Product: Portable OpenSSH
           Version: 10.0p2
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: insideable at gmail.com

A preceding 'Host' entry prevents a subsequent 'Include'
directive from
working

Version Information:

    OpenSSH: OpenSSH_10.0p2 (as reported by ssh -V)
    OpenSSL: OpenSSL 3.5.0 8 Apr 2025
    System: Linux x86_64


Problem Description:

When any `Host` entry exists in ~/.ssh/config before an `Include`
directive, the aliases and hosts within the included files are not
recognized. 

Moving the `Include` directive to be the very first line in the file
resolves the issue. 

This behavior is incorrect, as a non-matching `Host` entry should not
affect the processing of subsequent directives in the configuration
file.

Steps to Reproduce:

1. Prepare following configuration:

$ cat ~/.ssh/config.d/included.conf
Host included-example
    HostName 127.0.0.1
    User testuser

$ cat ~/.ssh/config
# This block breaks the subsequent Include
Host example
    HostName 127.0.0.1
    User admin
    Port 2222

Include ~/.ssh/config.d/*.conf


2. Attempt to connect using the alias from the included file. This will
fail.

$ ssh -vvv included-example

3. Now, edit ~/.ssh/config and move the Include directive to the top of
the file:

$ cat ~/.ssh/config
Include ~/.ssh/config.d/*.conf

Host example
    HostName 127.0.0.1
    User admin
    Port 2222

4. Attempt to connect again. This will succeed. At least the client
will try to connect to 127.0.0.1
$ ssh -vvv included-example


Expected Results:

The SSH client should successfully parse the entire configuration
regardless of the order of non-conflicting blocks. The connection
attempt in Step 2 should succeed, just as it does in Step 4. A
non-matching Host block should not prevent later directives from being
parsed and applied.


Actual Results:

The connection attempt in Step 4 fails with the error: ssh: `Could not
resolve hostname included-example.com: Name or service not known.` 

The parser seems to stop or fail to correctly process the `Include`
directive if it encounters any `Host` block before it.


Workaround:

Placing the `Include` directive(s) as the very first line in
~/.ssh/config allows the configuration to be parsed correctly.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3841

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Vitali Falileev from comment #0)
> A preceding 'Host' entry prevents a subsequent 'Include'
directive
> from working  [...]
> This behavior is incorrect, as a non-matching `Host` entry should
> not affect the processing of subsequent directives in the
> configuration file.
The man page says otherwise.
> Host example
>     HostName 127.0.0.1
>     User admin
>     Port 2222
> 
> Include ~/.ssh/config.d/*.conf
Your indentation makes it look like the Include is in a separate block,
but indentation is not and has never been syntactically significant. 
Quoth ssh_config(5):

Host    Restricts the following declarations (up to  the  next  Host 
or
        Match  keyword) to be only for those hosts that match one of
the
        patterns given after the keyword.

What you wrote is equivalent to 

Host example
    HostName 127.0.0.1
    User admin
    Port 2222
    Include ~/.ssh/config.d/*.conf

The behaviour of Include inside Host or Match blocks is described in
ssh_config(5):

"Include  directive  may  appear inside a Match or Host block to
 perform conditional inclusion."
> Placing the `Include` directive(s) as the very first line in
> ~/.ssh/config allows the configuration to be parsed correctly.
You can also put a "Host *" at the top of the included file to make
the
Include contents apply to all hosts.  Depending on how you structured
the file, it could have surprising results if you *do* want to use it
inside a Host or Match block.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3841

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Everything Darren said is correct, this is very much working as
intended and documented.

I'd just add that the way to do what you want is to add another Match
block before the include, e.g.:
> Host example
>    HostName 127.0.0.1
>    User admin
>    Port 2222
>
> Match any
>    Include ~/.ssh/config.d/*.conf
Will do what you want.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3841

--- Comment #3 from Vitali Falileev <insideable at gmail.com> ---
Just to be honest:
> Match all
>  Include ~/.ssh/config.d/*.conf
works. Thanks!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.