On Fri, 7 Apr 2017, Jakub Jelen wrote:> On 04/07/2017 11:54 AM, navern wrote: > > Hello, > > > > Afaik there was added Include feature for ssh_config. I want to add this > > option to sshd_config as well. I think about local patch(i am not sure > > this will be required for upstream). > > > > Code for Include option in readconf.c doesn't look very specific. Is > > there some reason why this wasn't introduced for sshd_config as well? > > > > Maybe someone already have patch for this feature? It would be great > > because i am pretty awful C programmer. > > This is already implemented in the following bugzilla: > > https://bugzilla.mindrot.org/show_bug.cgi?id=2468 > > The code gets little bit more complicated because of requirement to re-read > the configuration for every incoming connection. Giving a test and comments > would be very appreciated.I'll update the bug, but IMO re-reading config at runtime is a significant behaviour change and is probably unacceptable. We go through some hassle wrt re-execution to ensure that the configuration sshd is started with is the one that it. To do otherwise is IMO inviting surprise and trouble for administrators. -d
On 04/24/2017 11:58 AM, Damien Miller wrote:> On Fri, 7 Apr 2017, Jakub Jelen wrote: > >> On 04/07/2017 11:54 AM, navern wrote: >>> Hello, >>> >>> Afaik there was added Include feature for ssh_config. I want to add this >>> option to sshd_config as well. I think about local patch(i am not sure >>> this will be required for upstream). >>> >>> Code for Include option in readconf.c doesn't look very specific. Is >>> there some reason why this wasn't introduced for sshd_config as well? >>> >>> Maybe someone already have patch for this feature? It would be great >>> because i am pretty awful C programmer. >> >> This is already implemented in the following bugzilla: >> >> https://bugzilla.mindrot.org/show_bug.cgi?id=2468 >> >> The code gets little bit more complicated because of requirement to re-read >> the configuration for every incoming connection. Giving a test and comments >> would be very appreciated. > > I'll update the bug, but IMO re-reading config at runtime is a significant > behaviour change and is probably unacceptable. We go through some hassle > wrt re-execution to ensure that the configuration sshd is started with is > the one that it. > > To do otherwise is IMO inviting surprise and trouble for administrators.That was just wrongly worded. The configuration file is not re-read from filesystem with every connection, but I meant the need to re-parse the file for every connection (which does not exists for client config). Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat
On Mon, 24 Apr 2017, Jakub Jelen wrote:> > I'll update the bug, but IMO re-reading config at runtime is a significant > > behaviour change and is probably unacceptable. We go through some hassle > > wrt re-execution to ensure that the configuration sshd is started with is > > the one that it. > > > > To do otherwise is IMO inviting surprise and trouble for administrators. > > That was just wrongly worded. The configuration file is not re-read from > filesystem with every connection, but I meant the need to re-parse the file > for every connection (which does not exists for client config).oh, ok - I withdraw that objection then :)