Bug 3502

Summary: Include directives are processed regardless of the parent Match result
Product: Portable OpenSSH Reporter: Alin <alinmesser>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WORKSFORME    
Severity: normal CC: alinmesser, djm
Priority: P5    
Version: 9.1p1   
Hardware: ARM64   
OS: Mac OS X   

Description Alin 2022-11-16 19:58:34 AEDT 
When adding Include directives within Match blocks they are carried out regardless of whether the match is successful or not.

Sample ~/.ssh/config:
# Host *
#    SendEnv LANG LC_*
#    StrictHostKeyChecking no
#    UserKnownHostsFile /dev/null
#    LogLevel=ERROR
#    AddressFamily inet
#    ServerAliveInterval 100
#    CheckHostIP no
#    User root
#
# Match all

Match localuser myuser exec "[ true = false ]"
    Include file1
Match localuser !myuser exec "[ true = false ]"
    Include file2
...

Steps to reproduce:
myuser@thishost $ ssh -vvv myhost
OpenSSH_9.1p1, OpenSSL 1.1.1s  1 Nov 2022
debug1: Reading configuration data /Users/myuser/.ssh/config
debug2: checking match for 'localuser myuser exec "[ true = false ]"' host myhost originally myhost
debug3: /Users/myuser/.ssh/config line 13: matched 'localuser "myuser"'
debug1: Executing command: '[ true = false ]'
debug3: command returned status 1
debug3: /Users/myuser/.ssh/config line 13: not matched 'exec "[ true = false ]"'
debug2: match not found
debug3: /Users/myuser/.ssh/config line 14: Including file /Users/myuser/.ssh/file1 depth 0 (parse only)
debug2: checking match for 'localuser !myuser exec "[ true = false ]"' host myhost originally myhost
debug3: /Users/myuser/.ssh/config line 15: not matched 'localuser "myuser"'
debug3: /Users/myuser/.ssh/config line 15: skipped exec "[ true = false ]"
debug2: match not found
debug3: /Users/myuser/.ssh/config line 16: Including file /Users/myuser/.ssh/file2 depth 0 (parse only)
...
Comment 1 Damien Miller 2022-11-17 10:47:51 AEDT 
Yes, this is completely intentional. Include directives are processed for all blocks to catch syntax errors.

However, directives in files included from non-matching blocks do not modify the configuration. This is why

> debug3: /Users/myuser/.ssh/config line 14: Including file /Users/myuser/.ssh/file1 depth 0 (parse only)

says "parse only" at the end of the line.
Comment 2 Alin 2022-11-18 18:17:29 AEDT 
Thank you for the clarification, and I apologize for not diving deeper into the log.
Comment 3 Damien Miller 2023-03-17 13:38:52 AEDT 
OpenSSH 9.3 has been released. Close resolved bugs