Bug 2731 - .ssh/config: Host * overrides included files
Summary: .ssh/config: Host * overrides included files
Status: CLOSED INVALID
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 7.5p1
Hardware: amd64 Linux
: P5 trivial
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-24 02:46 AEST by mindrot
Modified: 2018-04-06 12:26 AEST (History)
2 users (show)

See Also:


Attachments
ssh -vvv a, on 7.5p1 (1.10 KB, text/plain)
2017-06-26 21:23 AEST, mindrot
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mindrot 2017-06-24 02:46:04 AEST
Hi,

When a file is included, and that .ssh/config contains a "Host *" section, properties (like User) that should be overriden in included files are not.


Reproduction steps:
- Create the following .ssh/config:
Host a
    Hostname a.b.c
    User userA

Host *
    User userB

- `ssh a' should log in to userA@a.b.c, `ssh b.c.d' should log in to userB@b.c.d'

- Move the `a' host into an included file to have the following .ssh/config:
Host *
    User userB

Include ~/.ssh/a_host

- `ssh a' will try to log in to userB@a.b.c instead of userA@a.b.c.

Expected result:
  `ssh a' should log in to userA@a.b.c anyway since there is an User line in its Host definition and that that works when not included.


I have read online that the "Host *" should be at the end of the file, which works fine in the first example, however in the example with the Include, doing that "deletes" the included Hosts; having Include then User would make `ssh a' not work (unresolved hostname), as if there was no entry.

ssh -V: OpenSSH_7.5p1, OpenSSL 1.1.0f  25 May 2017
Comment 1 Damien Miller 2017-06-24 15:30:06 AEST
I think the problem is that your configuration now is effectively:

> Host *
>  User userB
>  Include ~/.ssh/a_host

I.e. you're conditionally including the a_host file after you set userB.

If you change the order to

> Include ~/.ssh/a_host
> 
> Host *
>  User userB

Then you should get the behaviour that you desire.
Comment 2 mindrot 2017-06-24 19:56:18 AEST
(In reply to Damien Miller from comment #1)
> If you change the order to
> 
> > Include ~/.ssh/a_host
> > 
> > Host *
> >  User userB
> 
> Then you should get the behaviour that you desire.

Unfortunately that makes host `a' "disappear", `ssh a' will not work anymore, which is what I meant in the end of my post.
Comment 3 Damien Miller 2017-06-24 22:57:57 AEST
(In reply to mindrot from comment #2)

> Unfortunately that makes host `a' "disappear", `ssh a' will not work
> anymore, which is what I meant in the end of my post.

You'll need to include a debug trace ("ssh -vvv user@a") to figure out what's going on here.
Comment 4 mindrot 2017-06-26 21:23:24 AEST
Created attachment 3000 [details]
ssh -vvv a, on 7.5p1

(In reply to Damien Miller from comment #3)
> You'll need to include a debug trace ("ssh -vvv user@a") to figure
> out what's going on here.

Sorry, I should have included it from the get go. I attached the output of `ssh -vvv a' for both Host * then Include and Include then Host *.
Comment 5 Damien Miller 2017-06-27 13:39:02 AEST
I can't reproduce that behaviour. With ~/.ssh/config containing:

-----------

Include ~/.ssh/config_a

Host *
        User bar

-----------

... and ~/.ssh/config_a containing:

-----------

Host a
        Hostname 192.168.0.1
        User foo

-----------

I get the following log messages:

> OpenSSH_7.5, LibreSSL 2.6.0
> debug1: Reading configuration data /home/djm/.ssh/config
> debug3: /home/djm/.ssh/config line 1: Including file /home/djm/.ssh/config_a depth 0
> debug1: Reading configuration data /home/djm/.ssh/config_a
> debug1: /home/djm/.ssh/config_a line 1: Applying options for a
> debug1: /home/djm/.ssh/config line 3: Applying options for *
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: resolving "192.168.0.1" port 22

This differs from your trace:

> Include then Host *:
> $ ssh -vvv a
> OpenSSH_7.5p1, OpenSSL 1.1.0f  25 May 2017
> debug1: Reading configuration data /home/ashka/.ssh/config
> debug3: /home/ashka/.ssh/config line 64: Including file /home/ashka/.ssh/a_host depth 0 (parse only)

You aren't showing your full ~/.ssh/config file, but I can see that there are 64 lines of other stuff before it actually gets to the Include directive.

I bet one of those is another Host or Match line, and the Include is being made conditional on it. That's what the "(parse only)" means - that the file is being read and checked for syntax, but its contents are ignored because it's in a Match/Host statement that didn't match.
Comment 6 mindrot 2017-06-28 23:56:28 AEST
(In reply to Damien Miller from comment #5)
> I can't reproduce that behaviour. [...] You aren't showing your full ~/.ssh/config file, but I can see that there are 64 lines of other stuff before it actually gets to the Include directive.

Indeed, I thought that other hosts in the same file before the Include did not affect it, but I had no idea Include was conditional (aka. ignored after a Host block if the Host does not match). Sorry for the waste of time.
Comment 7 Damien Miller 2018-04-06 12:26:41 AEST
Close all resolved bugs after release of OpenSSH 7.7.