When adding Include directives within Match blocks they are carried out regardless of whether the match is successful or not. Sample ~/.ssh/config: # Host * # SendEnv LANG LC_* # StrictHostKeyChecking no # UserKnownHostsFile /dev/null # LogLevel=ERROR # AddressFamily inet # ServerAliveInterval 100 # CheckHostIP no # User root # # Match all Match localuser myuser exec "[ true = false ]" Include file1 Match localuser !myuser exec "[ true = false ]" Include file2 ... Steps to reproduce: myuser@thishost $ ssh -vvv myhost OpenSSH_9.1p1, OpenSSL 1.1.1s 1 Nov 2022 debug1: Reading configuration data /Users/myuser/.ssh/config debug2: checking match for 'localuser myuser exec "[ true = false ]"' host myhost originally myhost debug3: /Users/myuser/.ssh/config line 13: matched 'localuser "myuser"' debug1: Executing command: '[ true = false ]' debug3: command returned status 1 debug3: /Users/myuser/.ssh/config line 13: not matched 'exec "[ true = false ]"' debug2: match not found debug3: /Users/myuser/.ssh/config line 14: Including file /Users/myuser/.ssh/file1 depth 0 (parse only) debug2: checking match for 'localuser !myuser exec "[ true = false ]"' host myhost originally myhost debug3: /Users/myuser/.ssh/config line 15: not matched 'localuser "myuser"' debug3: /Users/myuser/.ssh/config line 15: skipped exec "[ true = false ]" debug2: match not found debug3: /Users/myuser/.ssh/config line 16: Including file /Users/myuser/.ssh/file2 depth 0 (parse only) ...
Yes, this is completely intentional. Include directives are processed for all blocks to catch syntax errors. However, directives in files included from non-matching blocks do not modify the configuration. This is why > debug3: /Users/myuser/.ssh/config line 14: Including file /Users/myuser/.ssh/file1 depth 0 (parse only) says "parse only" at the end of the line.
Thank you for the clarification, and I apologize for not diving deeper into the log.
OpenSSH 9.3 has been released. Close resolved bugs