Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 907068

Summary: net-misc/openssh-9.3_p1-r1: Match-blocks expand into new conf.d style Include subdirs
Product: Gentoo Linux Reporter: Timo Rothenpieler <timo>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: CONFIRMED ---    
Severity: major CC: bugzilla, kfm, sam
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/31615
Whiteboard:
Package list:
Runtime testing required: ---

Description Timo Rothenpieler 2023-05-24 11:43:17 UTC 
The new Include-Directive is placed at the very end of the sshd_config by the openssh ebuild.
Directly before is is the example for "Match"-Blocks.

The problem with this is that those Match-Blocks continue on into the Include files.
One of the two default Gentoo supplied files in there contains the UsePAM directive. Specifically that directive is not allowed in Match-Blocks, causing sshd to fail to start up.
And besides that, this could end up moving a bunch of directives which are intended to be global into the scope of whatever Match-Block happens to be last.

I have not checked if the client side config is affected by the same issue, but I'd guess it is.

There is sadly no way to "Stop Matching", so the only way is to move the Include-Part before the Match-Example in the sample config.
And maybe add a comment telling users to ensure not to put Match-Blocks before it.