Hello, There are some options in the sshd configuration which can be specified globally, and overridden in a Match clause with a value of none that I don't think are correctly handled. For example: AuthorizedPrincipalsFile /etc/ssh/auth_principals/auth_principals_%u Match Group users AuthorizedPrincipalsFile none This would cause sshd to use ~/none for the authorized principals file rather than store a NULL value for members of users. According to the manpage this keys can have a value of none. I extended the scope of CLEAR_ON_NONE to handle these, and this could additionally be used for dst->adm_forced_command and dst->chroot_directory just below. Url: https://git.io/JvRNI --- diff --git a/servconf.c b/servconf.c index 353bcc97..5e0a7f50 100644 --- a/servconf.c +++ b/servconf.c @@ -458,7 +458,6 @@ fill_default_server_options(ServerOptions *options) CLEAR_ON_NONE(options->host_key_files[i]); for (i = 0; i < options->num_host_cert_files; i++) CLEAR_ON_NONE(options->host_cert_files[i]); -#undef CLEAR_ON_NONE /* Similar handling for AuthenticationMethods=any */ if (options->num_auth_methods == 1 && @@ -2390,6 +2389,11 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) /* See comment in servconf.h */ COPY_MATCH_STRING_OPTS(); + CLEAR_ON_NONE(dst->banner); + CLEAR_ON_NONE(dst->trusted_user_ca_keys); + CLEAR_ON_NONE(dst->revoked_keys_file); + CLEAR_ON_NONE(dst->authorized_principals_file); + /* Arguments that accept '+...' need to be expanded */ assemble_algorithms(dst); @@ -2412,7 +2416,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) dst->chroot_directory = NULL; } } - +#undef CLEAR_ON_NONE #undef M_CP_INTOPT #undef M_CP_STROPT #undef M_CP_STRARRAYOPT _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev