3388 – ssh/sshd: add mandatory Include options

Bug 3388 - ssh/sshd: add mandatory Include options

Summary: ssh/sshd: add mandatory Include options

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Miscellaneous (show other bugs)
Version:	8.8p1
Hardware:	Other All

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-02-17 11:11 AEDT by Christoph Anton Mitterer
Modified:	2022-02-17 11:11 AEDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christoph Anton Mitterer 2022-02-17 11:11:08 AEDT

Hey.


It would be nice if in addition to Include (which seems to ignore any non-existant/wrongly-typed/unreadable files), one had a IncludeMandatory (or so) option, that lets ssh respectively sshd fail, if the file doesn't exist, cannot be read, has the wrong type, etc..

If a wildcard-pattern would be used in that directive, then at least one file would need to match it in order not to fail.

This is e.g. similar to Apache httpd's Include and IncludeOptional options.


The motivation for this would be that one can more easily make configurations, in which one has a base-config (e.g. ssh[d]_config) which is the same for all servers, and then something like: users-groups-authz.conf, which contains AllowUsers and friends. Or maybe an extra file, which just sets the authn methods allowed for that particular host (typically on the sshd side then).

I that config snippet would be missing, one often wants things to rather fail, than to fall back to defaults (like AllowUsers *).


Thanks,
Chris.