907068 – net-misc/openssh-9.3_p1-r1: Match-blocks expand into new conf.d style Include subdirs

Bug 907068 - net-misc/openssh-9.3_p1-r1: Match-blocks expand into new conf.d style Include subdirs

Summary: net-misc/openssh-9.3_p1-r1: Match-blocks expand into new conf.d style Include...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2023-05-24 11:43 UTC by Timo Rothenpieler
Modified:	2024-06-10 16:37 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/31615
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Timo Rothenpieler 2023-05-24 11:43:17 UTC

The new Include-Directive is placed at the very end of the sshd_config by the openssh ebuild.
Directly before is is the example for "Match"-Blocks.

The problem with this is that those Match-Blocks continue on into the Include files.
One of the two default Gentoo supplied files in there contains the UsePAM directive. Specifically that directive is not allowed in Match-Blocks, causing sshd to fail to start up.
And besides that, this could end up moving a bunch of directives which are intended to be global into the scope of whatever Match-Block happens to be last.

I have not checked if the client side config is affected by the same issue, but I'd guess it is.

There is sadly no way to "Stop Matching", so the only way is to move the Include-Part before the Match-Example in the sample config.
And maybe add a comment telling users to ensure not to put Match-Blocks before it.

Comment 1 Larry the Git Cow gentoo-dev

2024-06-10 16:37:15 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=839c2c622c0a175ecbbfab904c6066708a4d48c5

commit 839c2c622c0a175ecbbfab904c6066708a4d48c5
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2024-06-10 16:35:58 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2024-06-10 16:35:58 +0000

    net-misc/openssh*: Use patch to fix Include and move Subsystem config
    
    - Put the Include option before options that introduce conditional
      blocks to avoid having the drop-in files to be included
      conditionally. For client configs the options that introduce such
      blocks are Match and Host options, for daemon configs it is the
      Match option.
    
    - Move the Subsystem option out of the top-level daemon config into a
      separate drop-in. That way we can add the drop-in into INSTALL_MASK
      if we want to provide custom drop-in with a different settings for
      subsystems. This is necessary as there is no way to override a
      once-specified subsystem - doing so results in daemon printing an
      error and quitting.
    
    Closes: https://bugs.gentoo.org/907068
    Closes: https://github.com/gentoo/gentoo/pull/31615
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 .../files/openssh-9.7_p1-config-tweaks.patch       |  27 ++
 .../openssh-contrib-9.7_p1-r2.ebuild               | 524 +++++++++++++++++++++
 .../files/openssh-9.7_p1-config-tweaks.patch       |  27 ++
 net-misc/openssh/openssh-9.7_p1-r4.ebuild          | 398 ++++++++++++++++
 4 files changed, 976 insertions(+)