Alexis Horgix Chotard
2017-Mar-20 13:39 UTC
[Doc] Extension of Included configuration files
Hello, 2017-03-20 14:26 GMT+01:00 Nico Kadel-Garcia <nkadel at gmail.com>:> I'm against it being on by default. Not because "include" files are > not an interesting idea, but because it could be prone to incompatible > abuse by other add-on packages after OpenSSH is installed, and because > the sequential activation of included files can lead to erratic > behavior when an individual file is added alphabetically ahead of > another included file which is no longer being successfully parsed due > to the first file. (Been there, done that with /etc/sudoers.d and > /etc/profile.d.)That's for this reason that my original proposal was only to include a SHOULD mention to the manpage, like "Included files should go to a ssh_config.d directory in order to be detected as such by external tools". Would that make more sense to you ? If not, do you have any suggestion regarding the original problem of detecting ssh configuration files now that any file can be included ? -- Alexis 'Horgix' Chotard
On Mon, Mar 20, 2017 at 9:39 AM, Alexis Horgix Chotard <alexis.horgix.chotard at gmail.com> wrote:> Hello, > > 2017-03-20 14:26 GMT+01:00 Nico Kadel-Garcia <nkadel at gmail.com>: >> I'm against it being on by default. Not because "include" files are >> not an interesting idea, but because it could be prone to incompatible >> abuse by other add-on packages after OpenSSH is installed, and because >> the sequential activation of included files can lead to erratic >> behavior when an individual file is added alphabetically ahead of >> another included file which is no longer being successfully parsed due >> to the first file. (Been there, done that with /etc/sudoers.d and >> /etc/profile.d.) > > That's for this reason that my original proposal was only to include a > SHOULD mention to the manpage, like "Included files should go to a > ssh_config.d directory in order to be detected as such by external > tools"."Should" is better. "Should" protected from casual user replacement, is even better, but that can be a religious issue.> Would that make more sense to you ? If not, do you have any suggestion > regarding the original problem of detecting ssh configuration files > now that any file can be included ?Not really. Pre-vetting them for parseability will slow down SSH connections, perhaps not by much, but potentially significantly for a system where disk access is having some difficulty.
Hello, Afaik there was added Include feature for ssh_config. I want to add this option to sshd_config as well. I think about local patch(i am not sure this will be required for upstream). Code for Include option in readconf.c doesn't look very specific. Is there some reason why this wasn't introduced for sshd_config as well? Maybe someone already have patch for this feature? It would be great because i am pretty awful C programmer.