On Fri, 4 Mar 2022, M Rubon wrote:
> I have a customized sshd_config file which I had previously just
> copied into /etc/ssh on an Ubuntu server. On a new machine I thought
> I might try being better behaved and instead copied my config in
> sshd_config.d/sshd_config.conf
>
> So it kind of works. The non-conditional config is correctly used
> when I restart sshd. But config within a "Match User" seems be
parsed
> and then silently ignored
>
> Match User foouser
> Banner /tmp/specialtestbanner # this banner file is weirdly NOT
output
> # When uncommented this garbage line generates an error, so is being
parsed
>
> Everything works perfectly if I copy my sshd_config.d/sshd_config.conf
> over top of /etc/ssh/sshd_config (so no include is being done).
>
> Testing done on OpenSSH_8.2p1. I don't see any man page caveats about
> nesting Match within Include. I can try reproducing on a modern
> openSsh next week if that is useful to anyone.
I'm not aware of any bugs in 8.2 that would cause this, but a reproduction
with the current version would help. Also a full debug log from a server
accepting a connection that matches the criteria.
You can also use the -T/-C flags to test evaluation of the config, e.g.
$ cat > /tmp/conf << _EOF
Match user foouser
Banner /etc/motd
_EOF
$ sudo /usr/sbin/sshd -f /tmp/c -T | grep banner
banner none
$ sudo /usr/sbin/sshd -f /tmp/c -T -Cuser=foouser | grep banner
banner /etc/motd
You can also turn up the debugging in the config test mode to see what is
happening by adding '-ddd' to the flags.
Hope this helps
-d