Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 907068 - net-misc/openssh-9.3_p1-r1: Match-blocks expand into new conf.d style Include subdirs
Summary: net-misc/openssh-9.3_p1-r1: Match-blocks expand into new conf.d style Include...
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2023-05-24 11:43 UTC by Timo Rothenpieler
Modified: 2023-11-21 22:15 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Timo Rothenpieler 2023-05-24 11:43:17 UTC 
The new Include-Directive is placed at the very end of the sshd_config by the openssh ebuild.
Directly before is is the example for "Match"-Blocks.

The problem with this is that those Match-Blocks continue on into the Include files.
One of the two default Gentoo supplied files in there contains the UsePAM directive. Specifically that directive is not allowed in Match-Blocks, causing sshd to fail to start up.
And besides that, this could end up moving a bunch of directives which are intended to be global into the scope of whatever Match-Block happens to be last.

I have not checked if the client side config is affected by the same issue, but I'd guess it is.

There is sadly no way to "Stop Matching", so the only way is to move the Include-Part before the Match-Example in the sample config.
And maybe add a comment telling users to ensure not to put Match-Blocks before it.