2774 – Add a InheritConfig option for host stanzas

Bug 2774 - Add a InheritConfig option for host stanzas

Summary: Add a InheritConfig option for host stanzas

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	-current
Hardware:	All All

Importance:	P5 security
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-07 08:46 AEST by imoverclocked
Modified:	2021-03-04 09:52 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description imoverclocked 2017-09-07 08:46:58 AEST

Today, ssh_config allows a user to bring in different configuration snippets and selectively override settings per Host configuration sections. Sometimes, a user will have several different sources of configuration suggestions which, when poorly suggested, can lead to unwanted behavior.

Example Suggestion 1:

Place the following snippet in your ~/.ssh/config file:

---
Host *.foo.example.com
  ForwardAgent no
---

Example (poor) Suggestion 2:

Place the following snippet at the top of your ~/.ssh/config file:

---
ForwardAgent yes
---

Now the user has unwittingly fixed one problem by breaking a perviously good security decision for a class of nodes.

It would be nice if Suggestion 1 could be re-written to ensure that *.foo.example.com will never have ForwardAgent yes:

---
Host *.foo.example.com
  InheritConfig no
  ForwardAgent no
---

Comment 1 Damien Miller 2019-07-19 15:41:23 AEST

Something like this would be nice but it's infeasible with the current configuration parser. If we ever move to a parser that captures a syntax tree of the configuration rather than the current immediate-mode implementation then we would definitely consider this.

Comment 2 Damien Miller 2021-03-04 09:52:46 AEDT

close bugs that were resolved in OpenSSH 8.5 release cycle