Bug 2774

Summary: Add a InheritConfig option for host stanzas
Product: Portable OpenSSH Reporter: imoverclocked
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: security CC: djm
Priority: P5    
Version: -current   
Hardware: All   
OS: All   

Description imoverclocked 2017-09-07 08:46:58 AEST
Today, ssh_config allows a user to bring in different configuration snippets and selectively override settings per Host configuration sections. Sometimes, a user will have several different sources of configuration suggestions which, when poorly suggested, can lead to unwanted behavior.

Example Suggestion 1:

Place the following snippet in your ~/.ssh/config file:

---
Host *.foo.example.com
  ForwardAgent no
---

Example (poor) Suggestion 2:

Place the following snippet at the top of your ~/.ssh/config file:

---
ForwardAgent yes
---

Now the user has unwittingly fixed one problem by breaking a perviously good security decision for a class of nodes.

It would be nice if Suggestion 1 could be re-written to ensure that *.foo.example.com will never have ForwardAgent yes:

---
Host *.foo.example.com
  InheritConfig no
  ForwardAgent no
---
Comment 1 Damien Miller 2019-07-19 15:41:23 AEST
Something like this would be nice but it's infeasible with the current configuration parser. If we ever move to a parser that captures a syntax tree of the configuration rather than the current immediate-mode implementation then we would definitely consider this.
Comment 2 Damien Miller 2021-03-04 09:52:46 AEDT
close bugs that were resolved in OpenSSH 8.5 release cycle