Ubuntu
openssh package

include in .ssh/config

Bug #739495 reported by Andrei Darashenka
126
This bug affects 24 people
Affects Status Importance Assigned to Milestone
portable OpenSSH
Confirmed
Wishlist
openssh (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Could you implement sub-config including feature, please?
It's very useful to split a user config file into many pieces if you have a many hosts.

Tags: patch wishlist
Revision history for this message
In , gavinbeatty (gavinbeatty) wrote :

Created attachment 1623
Attached is a patch for an almost complete implementation. All that remains is the "file not readable is not an error" logic.

Adding the following to your config file should read the named file in place.

Include "~/.ssh/config.customer1"

If the file is not found, only a warning should be given, like so:

warning("%s line %d: Include file \"%s\" not found - skipping.", ...);

~/ and ~username expansion should be available.

Attached is a patch for an almost complete implementation. All that remains is the "file not readable is not an error" logic.

Revision history for this message
Andrei Darashenka (andry2) wrote :
Brian Murray (brian-murray)
tags: added: patch
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

It seems like this is a bug that has already been reported to the developers of openSSH. Please consider commenting in the upstream bug (https://bugzilla.mindrot.org/show_bug.cgi?id=1585) and proposing your patch, possibly integrating some of the work in the draft patch that is already included there.

Looks like there are some extra changes too, so that might need to be cleaned up.

Changed in openssh (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
Revision history for this message
In , Jakob Hilden (jakobhilden) wrote :

+1 Would be a very, very useful feature. And I know a bunch of other devs who also need this.

Bug Watch Updater (bug-watch-updater)
Changed in openssh:
importance: Unknown → Wishlist
status: Unknown → Confirmed
Revision history for this message
In , Tomas Pospisek (tpo-deb) wrote :

+1 I needed just this today

The usecase is the following:

* my employer is maintaining a ssh_config file that registers all machines
* I have some settings and hosts of my own

How do I usefully integrate those two files?
*t

Revision history for this message
In , Tomas Pospisek (tpo-deb) wrote :

+1 I needed just this today

The usecase is the following:

* my employer is maintaining a ssh_config file that registers all machines
* I have some settings and hosts of my own

How do I usefully integrate those two files?
*t

Revision history for this message
In , Adam-pierre-dany (adam-pierre-dany) wrote :

+1 This feature could be very useful.

@Tomas Pospisek : For now you can use only do some cheat with a shell script.
For example having your configuration file in ~/.ssh/config.d and make that type of alias:
alias ssh="cat ~/.ssh/config.d/* > ~/.ssh/config ; ssh"
It my way to keep my config file up-to-date.

I subscribe to this ticket.

(In reply to comment #2)
> +1 I needed just this today
>
> The usecase is the following:
>
> * my employer is maintaining a ssh_config file that registers all
> machines
> * I have some settings and hosts of my own
>
> How do I usefully integrate those two files?
> *t

Revision history for this message
In , Mindrot-0 (mindrot-0) wrote :

+1

Revision history for this message
In , Kived (kived) wrote :

+1 here as well.

I'm trying to set up a secure Apt archive using ssh to limit access. I'm also making a Debian package to set up access to the archive, so it would be nice to add the Host stanza to a separate file for maintenance reasons.

Methods such as using aliases/scripts to aggregate the various config files before execing ssh won't work for this, as apt-get is not going to call an shell-defined alias.

Guess I'm gonna have to fall back to my old method of using scripts to rewrite /etc/ssh/ssh_config - which is a horrible way to do things. This is precisely why pretty much every major Linux service uses config.d directories instead of monolithic config files. EXCEPT OPENSSH.

This request has now been ignored for 4 years. It would be nice to see some sort of response.

Revision history for this message
In , pataquets (pataquets) wrote :

Definitely +1 to this!

An alternative (and more generic) approach would be doing this by intercepting .conf file reads (via FUSE?). After thinking a little about this and googling, I've found something that might be a good start:
https://code.google.com/p/scriptfs/

@dkived: Maybe you can try this for your scenario and post how it works. I haven't tried it but looks like it can do the trick.

Revision history for this message
In , Joshua-shaffner (joshua-shaffner) wrote :

+1

Revision history for this message
In , Mindrot-j (mindrot-j) wrote :

Created attachment 2274
Include option patch for OpenSSH 6.2

This is really just a modified version of Gavin Beatty's patch, slightly altered so it'll apply cleanly to OpenSSH 6.2 (i.e. yesterdays CVS checkout).

Revision history for this message
In , pataquets (pataquets) wrote :

Another, FUSE-based solution (not tested myself):
https://github.com/markhellewell/sshconfigfs

Revision history for this message
In , Mindrot-j (mindrot-j) wrote :

While FUSE-based solutions are available, they're hardly portable and not available on most of the platforms listed on http://openssh.com/portable.html.

What does it take to convince the developers to include Gavin's patch into mainline?

Revision history for this message
In , Schmurfy (schmurfy) wrote :

2009 ? This bug is rather young, I am sure at least 10 years is mandatory to have something as complex as this integrated... There are even patchs attached without even a comment on them.

As far as I can tell user interface is clearly not the focus of either OpenSSL or OpenSSH, just take a look at the OpenSSL api if you need convincing.

The funny thing is that if security is the concern here this is stupid since users will do things that may open a real security risk instead of relying on a proven built in Include which could just apply the same rules it uses when loading the main ".ssh/config".

What is preventing this from getting in ???
This a really helpful feature if you want to work with generated files without destroying you main config file.

Revision history for this message
Salz` (salzig) wrote :

Would love to see this feature. I'm working with different machines for a variety of customers. This feature would allow me to create a config.d/ and group settings by customer. It would allow me to easily share those settings with colleagues, In the end.

Revision history for this message
Simon Law (sfllaw) wrote :

From: https://bugzilla.mindrot.org/show_bug.cgi?id=1585#c24

Damien Miller 2016-04-15 13:01:08 EST
Slightly modified patch applied, this will be in openssh-7.3

commit dc7990be865450574c7940c9880567f5d2555b37
Author: <email address hidden> <email address hidden>
Date: Fri Apr 15 00:30:19 2016 +0000

    upstream commit

    Include directive for ssh_config(5); feedback & ok markus@

    Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
commit 35f22dad263cce5c61d933ae439998cb965b8748
Author: <email address hidden> <email address hidden>
Date: Fri Apr 15 00:31:10 2016 +0000

    upstream commit

    regression test for ssh_config Include directive

    Upstream-Regress-ID: 46a38c8101f635461c506d1aac2d96af80f97f1e

Revision history for this message
Colin Watson (cjwatson) wrote :

Indeed, this was added in OpenSSH 7.3, which is in Ubuntu 16.10.

Changed in openssh (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
bhat3 (bhat3) wrote :

@cjwatson @paelzer Any chance we could backport that patch for xenial as SRU? It's a long standing bug and helps superb with automation of Ubuntu LTS for web plattforms. We like to use it for easy and user specific conf.d style client config updates in deployment scenarios.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.