Hey. I was just going through the documentation, and there are several options which are documented to default to "none", e.g. in sshd_config(5): >AuthorizedPrincipalsFile ... > The default is “none”, i.e. not to use a principals file – in ... or >Banner The contents of the specified file are sent to the remote user > before authentication is allowed. If the argument is “none” then > no banner is displayed. This option is only available for proto‐ ... Now I looked through through the code, and it doesn't look as if "none" would really be handled special for these options, a test with "Banner none" confirmed this, if there is a file /none, it's contents are printed. To the contrary, there are options in servconf.c for which "none" *is* apparently actually considered special, as e.g. AuthorizedKeysCommand. I would guess that the same issues may happen again for other options for both, sshd and ssh. 1) So ideally someone should really go through all the options, and check whether the defaults still match. 2) The manpages should somehow better denote, what is actually value and what is just prose text, since “none” (as it also appears for “yes”) could mean both, the literal string "none", i.e.: DirectiveName none or that the directive's value is empty, i.e.: DirectiveName "" 3) I personally tend to generally using the later or somehow better handling cases when a directive may take special enums and aribtrary strings like filenames. Cheers, Chris.
fixed; will be in openssh-6.8 commit 8f6784f0cb56dc4fd00af3e81a10050a5785228d Author: djm@openbsd.org <djm@openbsd.org> Date: Mon Dec 22 09:05:17 2014 +0000 upstream commit mention ssh -Q feature to list supported { MAC, cipher, KEX, key } algorithms in more places and include the query string used to list the relevant information; bz#2288
oops, wrong bug
OpenSSH 6.8 is approaching release and closed for major work. Retarget these bugs for the next release.
Retarget to 6.9
Created attachment 2564 [details] make config parser more consistent Tested option Banner with current upstream and it works fine now. FYI: Fixed in https://anongit.mindrot.org/openssh.git/commit/?id=161cf419f412446635013ac49e8c660cadc36080 AuthorizedPrincipalsFile option is fixed in different way in this commit (which is fur sure not so elegant as the previous one and it would be really nice to have it more consistent): https://anongit.mindrot.org/openssh.git/commit/?id=9fed161e67b23977a1070419b356084295422f0c If you want to have it in more elegant way, there is attached patch. Otherwise you can close this issue as resolved.
Comment on attachment 2564 [details] make config parser more consistent looks ok to me
patch applied, will be in openssh-6.9
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1
Hey. I just tried to verify this, and it seems there are still options left which can have a special value of "none" but for which this isn't documented (at least as of 6.9): - HostKey - HostCertificate and as already mentioned before: - AuthorizedKeysCommand Since this is marked as fixed in 6.9, I'm reopening it. Cheers, Chris.
And one more where there is "none" but nothing mentioned in the docs: - AuthorizedPrincipalsCommand
And another one, but this time in ssh_config: - RevokedHostKeys
I don't think we need to chase this further.
Well, it's your project, so decide as it pleases you... :-) But I still think its a bad idea to not document specially handled option values (i.e. "none") where otherwise a free form string could be used. It may be unlikely but people could in principle use and AuthorizedKeysCommand called "none" which would, AFIAU, *not* be called unlike the documentation would suggest (by not mentioning "none" is special. Same goes for the other commands I've found earlier (though I haven't checked the current code, whether this is still the case). Cheers, Chris.
close bugs that were resolved in OpenSSH 8.5 release cycle