Bug 3236

Summary: multiple Subsystem options in sshd_config prevent sshd from starting
Product: Portable OpenSSH Reporter: Jakub Jelen <jjelen>
Component: sshdAssignee: Damien Miller <djm>
Status: NEW ---    
Severity: enhancement CC: boum, bugs, djm, dtucker, kerminaawad, micha, szidek
Priority: P5    
Version: 8.4p1   
Hardware: Other   
OS: Linux   
Attachments:
Description Flags
Make repeated Subsystem directives non-fatal djm: ok? (dtucker)

Description Jakub Jelen 2020-11-30 19:16:11 AEDT 
All of the other configuration options are just ignored, if specified repetitively, but Subystem will prevent sshd from starting. This is unexpected and undocumented in manual page and something that might become more common issue with the Include support.

I would like to suggest this option would behave same as all the others, maybe downgrading the log level of the message.

The other option would be to document it in the manual page that the same subsystem can not repeat (yet another exception from configuration parsing rules).

Reproducer:

# echo "Subsystem sftp internal-sftp" >> /etc/ssh/sshd_config
(repeat if it was not there before)
# sshd -T
/etc/ssh/sshd_config line 131: Subsystem 'sftp' already defined.
# echo $?
255
Comment 1 kerminaawad 2021-01-06 00:16:10 AEDT 
I just ran into this issue yesterday.

I prefer not to modify the main config so that future updates cannot overwrite my changes, and so that the main config is always up to date.

So I used the include feature to overwrite "Subsystem sftp", however, sshd would not start. If I had not found this bug report I would probably not have found the issue.
Comment 2 MichaIng 2022-02-27 04:22:45 AEDT 
I faced the same issue, hence would also like to be able to override an existing Subsystem setting in /etc/ssh/sshd_config with one in /etc/ssh/sshd_config.d/.
Comment 3 dirdi 2022-03-13 23:16:43 AEDT 
This has also been reported downstream at the Debian bug tracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998834
Comment 4 CB 2022-05-06 22:41:50 AEST 
I ran into this issue has well and that was kinda frustrating because it seems this is the only setting that behave like this!
Comment 5 Damien Miller 2022-05-09 09:48:07 AEST 
Created attachment 3591 [details]
Make repeated Subsystem directives non-fatal