3207 – Match blocks ignored in files processed by Include

Bug 3207 - Match blocks ignored in files processed by Include

Summary: Match blocks ignored in files processed by Include

Status:	CLOSED DUPLICATE of bug 3122

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	8.3p1
Hardware:	amd64 Linux

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-09-01 02:53 AEST by devel
Modified:	2021-03-04 09:52 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description devel 2020-09-01 02:53:25 AEST

Setup: main config file with "Include /etc/ssh/sshd_config.d/*.conf" line as the first active directive.  Create /etc/ssh/sshd_config.d/test.conf with:

Match Group sftponly
ForceCommand internal-sftp
ChrootDirectory /sftp

Now, assuming a working chroot layout (/sftp owned root:root, /sftp/home/testuser exists, testuser is in group sftponly and their home dir is /home/testuser), run:

sshd -C 'user=testuser' -T

The ForceCommand and ChrootDirectory are not applied, both according to the test output, and in practice.  Note that no error is generated.

An inverted approach will chroot all users, thus proving that the config itself is successfully being loaded:

ChrootDirectory /sftp
Match Group ssh-users
ChrootDirectory none

Observed in Ubuntu 20.04, and unmodified builds of the 8.2p1 and 8.3p1 releases.  The man page does not indicate this limitation.

Comment 1 Damien Miller 2020-09-01 11:59:51 AEST


*** This bug has been marked as a duplicate of bug 3122 ***

Comment 2 Damien Miller 2021-03-04 09:52:47 AEDT

close bugs that were resolved in OpenSSH 8.5 release cycle