ssh_config should include /etc/ssh/ssh_config.d/* by default

Hi Erich,
I agree that would be a nice change to have, but I got puzzled checking the details.

In general it seemed to requires 7.3p1 it seems: => https://bugzilla.mindrot.org/show_bug.cgi?id=1585.
Therefore e.g. in Xenial I wondered to find nothing about the Include statement but that was 7.2.
But all later versions are ok, so there it makes absolutely sense.

It is already done for the user side of the config in:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/739495

But looking deeper I realized that this is only implemented by Upstream for the client part (ssh) but not the sshd server (at least trusting the man pages updated with the referred upstream change).

That said I'd have to ask you for two thing:
1. This bug is present in Debian too and we carry next to no delta. So it would be best fixed in Debian, and then Ubuntu will pick it up on the next merge. Would you mind filing a bug with Debian please?
2. Also since at least according to my sniff check it seems the upstream sshd doesn't have an Include directive you might file a bug there as well and link it here and in the Debian bug.

For now confirming the idea and setting wishlist as for all feature requests.

There are already bugs about an Include directive in sshd, so please don't file more. Also, it isn't really necessary to re-file this in Debian since I follow both trackers.

Erich, could you give an example of the sort of changes you'd like to be able to make in a .d directory? Are you talking about site-local changes, or things that might go into a distribution?

@cjwatson, I've been getting my work into the habit of deploying Debian packages for all organization-wide system configuration files. So, when I noticed the other day that openssh-client 7.3p1+ now supports include directives I put together a new package that gives all of our internal users no-login access to the systems that they need for their work. The exact ".d" file I put together to do this is:
===
Match exec "getent hosts %h | grep -qE '^10\.10\.10\.'"
        User root
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null
        IdentityFile /opt/insight/SLE-101_id_rsa
===
However, at the moment, for anyone to use this file I would need to modify /etc/ssh/ssh_config by adding "Include /etc/ssh/ssh_config.d/*". While I can do that, I know that it's not generally recommended to have a package modify the config files of other packages. So, ideally, the default ssh_config file would have an Include directive that allows me to simply place my ".d" file in the appropriate ".d" directory such that it automatically gets included whenever my custom package is installed.

On Fri, Jun 30, 2017 at 08:19:09PM -0400, James Cloos wrote:
> >>>>> "CW" == Colin Watson <email address hidden> writes:
>
> CW> Erich, could you give an example of the sort of changes you'd like to be
> CW> able to make in a .d directory?
>
> Colin,
>
> One good example is the port number(s). Having to edit sshd_config
> every time the package changes the default contents is a pain. And
> a non-default port number is very common.

This is all very well and true, but it's not what this bug is about.
Upstream OpenSSH doesn't yet support Include for sshd_config at all, so
there's no possibility of making the distribution-shipped sshd_config
include a .d directory. This bug is about ssh_config instead.

--
Colin Watson [<email address hidden>]

On Sat, Jul 01, 2017 at 01:27:13PM -0400, James Cloos wrote:
> CW> This is all very well and true, but it's not what this bug is about.
>
> My reading of this bug is that a patch to support .d/* is exactly what
> was requested.

No, this bug is specifically about *ssh_config*, not *sshd_config* - the
client configuration file, not the server configuration file. Even
leaving aside the lack of upstream support for Include in sshd_config
(which is https://bugzilla.mindrot.org/show_bug.cgi?id=2468), I'd expect
to at least have to think about the two separately, due to
considerations such as ordering (ssh_config has per-user configuration
files to be considered as well, while sshd_config doesn't; sshd_config
frequently has more complex issues related to Match blocks).

> And you asked for examples of how it would be useful, then complained
> about receiving such an example.

I was glad to receive Erich's response to the question I asked them
directly. :-) I understand the general usefulness of .d directories in
configuration systems and have put effort into supporting them in the
past; I was specifically asking the bug reporter for what packaged
modifications to ssh_config they wanted to be able to deliver, because I
wanted to know whether it was a matter of packaging site-local changes
or a matter of extensions being made by other packages that we might
ship in the distribution. Site-local changes I entirely understand; if
it were distribution-shipped changes then I would want to look into the
details at some more length.

I generally try hard to avoid the scope of a bug drifting too far. My
experience is that it's easy to consolidate multiple bugs that turn out
to be about the same thing, but difficult to deal with single bugs that
have ended up being about multiple things. It can be difficult to avoid
sounding sharp when trying to stop a bug from undergoing scope creep,
and I'm sorry for that. However, please do take any points about
sshd_config to a separate bug report.

--
Colin Watson [<email address hidden>]