over in https://bugs.debian.org/959726 the debian postinst script for openssh-server is being discussed. That postinst script needs to parse the sshd_config file to figure out what host keys need to be created. I'm sure this isn't the only sysadmin-related tooling that tries to do such a task. rather than re-implementing the configfile parser with some janky approximation with perl, it'd be nicer to use `sshd -T` to get a normalized form and then parse the results more simply. However, that's not possible for the postinst script because `sshd -T` aborts with an error and fails to emit any parsed configuration if no hostkeys are available (error message: "sshd: no hostkeys available -- exiting.") I don't know what other errors in the configuration might cause sshd -T to abort with a failure, but it would be nice if it would go ahead and emit the parsed configuration anyway. (if this seems wrong to do by default for whatever reason, perhaps a distinct option besides -T could be used to emit the parsed configuration regardless of whether there is an error)
Created attachment 3664 [details] Add sshd -G flag The reason why we haven't done this in the past is that -T is advertised as an "extended test" mode that will verify various configuration-related things and *then* print the config. Maybe we should add a dedicated "config dump" mode (maybe using -G like ssh) that doesn't do this?
Comment on attachment 3664 [details] Add sshd -G flag usage() also needs updating.
This has been committed and will be in OpenSSH 9.3
OpenSSH 9.3 has been released. Close resolved bugs