Bug 3072 - Some options silently ignored in Host specifications in ssh_config
Summary: Some options silently ignored in Host specifications in ssh_config
Status: CLOSED INVALID
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 8.0p1
Hardware: All All
: P5 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-20 07:07 AEST by Jaak Ristioja
Modified: 2021-03-04 09:53 AEDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jaak Ristioja 2019-09-20 07:07:25 AEST 
Given ssh_config files like:

  MACs hmac-sha1
  Host somehost
    MACs +hmac-md5

The MACs +hmac-md5 line is ignored when using "ssh somehost". "ssh -o MACs=hmac-md5 somehost" seems to work just fine.

The source code at readconf.c seems to contain:

   case oMacs:
        arg = strdelim(&s);
        if (!arg || *arg == '\0')  
            fatal("%.200s line %d: Missing argument.", filename, linenum);
        if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
            fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",   
                filename, linenum, arg ? arg : "<NONE>");
        if (*activep && options->macs == NULL)
            options->macs = xstrdup(arg);
        break;

Which seems to mean that if options->macs is already set, the MACs line under "Host somehost" is ignored. Looking at the source code a number of other options seem to be ignored similarly as well.
Comment 1 Darren Tucker 2019-09-20 08:12:15 AEST 
Yes that's how it works.  Quoting the first paragraph of ssh_config(5):

  For each parameter, the first obtained value will be used.  The
  configuration files contain sections separated by Host specifications,
  and that section is only applied for hosts that match one of the
  patterns given in the specification.

In the context of MACs (and a few other things like Ciphers), "+thing" is a value that means "append this to the default list", and it was added so that there was a way to enable things line hmac-md5 where a host required it in a way that wouldn't disable future better options.

You can set defaults by putting them at the end of the file after "Host *":

  Host somehost
    MACs +hmac-md5
  Host *
    MACs hmac-sha1
Comment 2 Jaak Ristioja 2019-09-21 18:30:39 AEST 
Thank you! Your suggestion seems to work. :)

It seems that I missed what the ssh_config man page says in the beginning:

     For each parameter, the first obtained value will be used. /.../

     Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end.

General defaults at the end of the file was not intuitive for me. I wish there was a warning when the options are ignored, but given the configuration file format it seems there is no good way to implement such so that the change wouldn't bother anyone.
Comment 3 Damien Miller 2021-03-04 09:53:25 AEDT 
close bugs that were resolved in OpenSSH 8.5 release cycle