You are not logged in.

#1 2024-09-24 08:16:05

usbpc
Member
Registered: 2021-08-02
Posts: 23

[SOLVED] openssh 9.9p1-1 Match criteria no longer valid

I have my SSH config set up so that it automatically uses a jump host when a direct connection is not possible, I also use the config to set the username on the hosts. I've noticed today that openssh no longer likes my configuration:

$ ssh srv1.example.com
Missing Match criteria for host=*.example.com,233.252.*
/home/username/.ssh/config line 1: Bad Match condition
Unsupported Match attribute host=*.example.com,!login.example.com
/home/username/.ssh/config line 4: Bad Match condition
/home/username/.ssh/config: terminating, 2 bad configuration options

This is a minimal example configuration build from my real one that has the same problems:

Match host="*.example.com,233.252.*"
        User usbpc

Match host="*.example.com,!login.example.com" !exec="nc -z -w10 %h 22"
        ProxyJump login.example.com

This is the OpenSSH Version I'm using, I've updated to it yesterday, but only wanted to use ssh again today:

$ ssh -V
OpenSSH_9.9p1, OpenSSL 3.3.2 3 Sep 2024
$ grep -i openssh /var/log/pacman.log
[2024-02-12T10:03:21+0000] [ALPM] installed openssh (9.6p1-1)
[2024-02-21T14:15:46+0100] [ALPM] upgraded openssh (9.6p1-1 -> 9.6p1-3)
[2024-03-14T09:22:43+0100] [ALPM] upgraded openssh (9.6p1-3 -> 9.7p1-1)
[2024-05-08T10:27:36+0200] [ALPM] upgraded openssh (9.7p1-1 -> 9.7p1-2)
[2024-07-04T17:20:13+0200] [ALPM] upgraded openssh (9.7p1-2 -> 9.8p1-1)
[2024-09-23T13:55:53+0200] [ALPM] upgraded openssh (9.8p1-1 -> 9.9p1-1)

Is this a bug in the OpenSSH version 9.9p1?

Last edited by usbpc (2024-09-24 10:21:42)

Offline

#2 2024-09-24 08:56:19

Lithium Sulfate
Member
Registered: 2020-07-01
Posts: 25

Re: [SOLVED] openssh 9.9p1-1 Match criteria no longer valid

The release notes for OpenSSH suggest that there have been some changes in the parsing of Match directive arguments in the latest release, but the fixes noted there didn't really seem applicable in your case, from what I can tell.

I tried to replicate your examples and while fumbling around I found that by omitting the '=' characters from the arguments, I think I got them to work again. Please confirm if something like this works for you:

Match host "*.example.com,233.252.*"
        User usbpc

Match host "*.example.com,!login.example.com" !exec "nc -z -w10 %h 22"
        ProxyJump login.example.com

Whether this is intentional or not from OpenSSH's side, I cannot say.

Last edited by Lithium Sulfate (2024-09-24 10:08:00)

Offline

#3 2024-09-24 10:21:29

usbpc
Member
Registered: 2021-08-02
Posts: 23

Re: [SOLVED] openssh 9.9p1-1 Match criteria no longer valid

Thanks! That fixed the problem. From this sentence in the ssh_config(5) I feel like the version with the '=' sign should also be valid:

Configuration options may be separated by whitespace or optional whitespace and exactly one ‘=’;

Offline

#4 2024-09-24 13:52:15

seth
Member
Registered: 2012-09-03
Posts: 57,026

Re: [SOLVED] openssh 9.9p1-1 Match criteria no longer valid

Configuration options may be separated by whitespace or optional whitespace and exactly one ‘=’;

Match host = "*.example.com,233.252.*"
        User usbpc

Match host = "*.example.com,!login.example.com" !exec = "nc -z -w10 %h 22"
        ProxyJump login.example.com

Offline

#5 2024-09-25 06:03:58

Lithium Sulfate
Member
Registered: 2020-07-01
Posts: 25

Re: [SOLVED] openssh 9.9p1-1 Match criteria no longer valid

seth wrote:

Configuration options may be separated by whitespace or optional whitespace and exactly one ‘=’;

Match host = "*.example.com,233.252.*"
        User usbpc

Match host = "*.example.com,!login.example.com" !exec = "nc -z -w10 %h 22"
        ProxyJump login.example.com

That doesn't seem to work either, but this does:

Match = host "*.example.com,233.252.*"
        User usbpc

Match = host "*.example.com,!login.example.com" !exec "nc -z -w10 %h 22"
        ProxyJump login.example.com

This makes sense to me now insofar as the documentation says,

The file contains keyword-argument pairs, one per line [...]

... with 'Match' being the keyword (just as 'User' or 'ProxyJump' are), and the stuff after the '=' being the argument.

The following would also be equivalent, if we go all the way:

Match=host "*.example.com,233.252.*"
User=usbpc
Match=host "*.example.com,!login.example.com" !exec "nc -z -w10 %h 22"
ProxyJump=login.example.com

This does fall in line with how options are commonly passed with the command line (which the documentation also states is the reason why '=' is allowed---particularly if the arguments contain whitespace), for example:

ssh -o 'User=usbpc' -o 'ProxyJump=login.example.com' whatever.example.com

I think the line "Configuration options may be separated by [...]" is somewhat badly worded in this regard, and should instead say "Configuration keywords may be separated from their arguments by whitespace or optional whitespace and exactly one '='" or something like that to avoid these misunderstandings.

As to why OP's example worked fine before, who knows, perhaps it was simply an inconsistency in the parser that now got fixed---but if that is the case, it should have been communicated more clearly in the release notes, I think.

Last edited by Lithium Sulfate (2024-09-25 06:10:45)

Offline

#6 2024-09-25 13:29:23

usbpc
Member
Registered: 2021-08-02
Posts: 23

Re: [SOLVED] openssh 9.9p1-1 Match criteria no longer valid

Thanks for the replies, I reported the problem to the developers and the new parser was already modified, so my original configuration is valid again: https://bugzilla.mindrot.org/show_bug.cgi?id=3739

@seth, I've read the sentence as:

Configuration options may be separated by ([whitespace] or [optional whitespace] and [exactly one ‘=’]);

However it is meant to be interpreted, the developer decided that my interpretation of the documentation was valid, even if not intended.

Offline

Board footer

Powered by FluxBB