On Wed, Apr 19, 2017 at 1:02 PM, navern <livingdeadzerg@xxxxxxxxx> wrote: > On 10.04.2017 23:02, navern wrote: >> >> >> On 07.04.2017 15:05, Jakub Jelen wrote: >>> >>> On 04/07/2017 11:54 AM, navern wrote: >>>> >>>> Hello, >>>> >>>> Afaik there was added Include feature for ssh_config. I want to add this >>>> option to sshd_config as well. I think about local patch(i am not sure >>>> this will be required for upstream). >>>> >>>> Code for Include option in readconf.c doesn't look very specific. Is >>>> there some reason why this wasn't introduced for sshd_config as well? >>>> >>>> Maybe someone already have patch for this feature? It would be great >>>> because i am pretty awful C programmer. >>> >>> >>> This is already implemented in the following bugzilla: >>> >>> https://bugzilla.mindrot.org/show_bug.cgi?id=2468 >>> >>> The code gets little bit more complicated because of requirement to >>> re-read the configuration for every incoming connection. Giving a test and >>> comments would be very appreciated. >>> >>> Regards, >> >> Hello, >> >> I've fixed this patch a little to apply it to version 7.4p1. I will test >> it in following week and let you know about results. Thanks for the patch. > > > Hi, > > I've been testing this for about a week on 150 servers and everything > running fine. I hadn't seen any bugs. Thanks! What is the performance penalty for incoming connectons? Have you any sense of this? I'm slightly leery of this approach. I've encountered numerous systems that sought to split out subconfigurations sensibly, such as /etc/cron.d for cron jobs, /et/sudoers.d for sudo access, and individual zone files for DNS configurations. Some of them have worked very well, but some of them which parse all files for all connections have been vulnerable to a single typo in a single included file destroying the *whole* system. If you do that to the SSH which is used for remote system management, well, you can suddenly be up a nasty creek without a paddle unless you're as paranoid as I've sometimes been and run a second daemon with a separate set of config files with very restrictive access for emergencies. It can be exacerbated if you have a system configuration tool, such as ansible or puppet or chef, which can modify your OpenSSH config without you're being connected on a live SSH session which is still active and might be used for salvage if you screw up a file. Is there any available tool with this for pre-evaluating the resulting sshd_config for fatal errors? I'm not demanding: I'm thinking "that could be really, really useful". _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev