我的 OpenSSH Include 指令有什么问题?

tag-icon tag-icon macos ssh openssh
我的 OpenSSH Include 指令有什么问题?

最近,macOS Sierra 上的 OpenSSH 升级到了 7.3p1这意味着Include配置指令可用,好嘞!

然而我在实际使用它时遇到了问题。

我有以下内容~/.ssh/config

Host github.com
Hostname github.com
User git
IdentityFile ~/.ssh/keys/github_rsa

Host den
HostName narzt-desktop.local
User camden
GSSAPIAuthentication no
AddressFamily inet

Host walle
User CamdenNarzt
HostName WALLE.local
AddressFamily inet
GSSAPIAuthentication no

Include ~/.ssh/config.d/*

我看见这里如果我在 ssh 命令中添加了一堆-v标志,可能会有一些有用的调试输出,但是当我在其中一个包含的文件中测试主机的配置时,我得到了以下信息:

$ \ssh -vvvvG git-codecommit.us-east-1.amazonaws.com
OpenSSH_7.3p1, LibreSSL 2.4.1
debug1: Reading configuration data /Users/camdennarzt/.ssh/config
debug3: /Users/camdennarzt/.ssh/config line 31: Including file /Users/camdennarzt/.ssh/config.d/family.conf depth 0 (parse only)
debug1: Reading configuration data /Users/camdennarzt/.ssh/config.d/family.conf
debug3: /Users/camdennarzt/.ssh/config line 31: Including file /Users/camdennarzt/.ssh/config.d/icloud.conf depth 0 (parse only)
debug1: Reading configuration data /Users/camdennarzt/.ssh/config.d/icloud.conf
debug3: /Users/camdennarzt/.ssh/config line 31: Including file /Users/camdennarzt/.ssh/config.d/metabolistics.conf depth 0 (parse only)
debug1: Reading configuration data /Users/camdennarzt/.ssh/config.d/metabolistics.conf
debug3: /Users/camdennarzt/.ssh/config line 31: Including file /Users/camdennarzt/.ssh/config.d/scanimetrics.conf depth 0 (parse only)
debug1: Reading configuration data /Users/camdennarzt/.ssh/config.d/scanimetrics.conf
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for *
user camdennarzt
hostname git-codecommit.us-east-1.amazonaws.com
port 22
addressfamily any
batchmode no
canonicalizefallbacklocal yes
canonicalizehostname false
challengeresponseauthentication yes
checkhostip yes
compression no
controlmaster false
enablesshkeysign no
clearallforwardings no
exitonforwardfailure no
fingerprinthash SHA256
forwardagent no
forwardx11 no
forwardx11trusted no
gatewayports no
gssapiauthentication no
gssapidelegatecredentials no
hashknownhosts no
hostbasedauthentication no
identitiesonly no
kbdinteractiveauthentication yes
nohostauthenticationforlocalhost no
passwordauthentication yes
permitlocalcommand no
protocol 2
proxyusefdpass no
pubkeyauthentication yes
requesttty auto
rhostsrsaauthentication no
rsaauthentication yes
streamlocalbindunlink no
stricthostkeychecking ask
tcpkeepalive yes
tunnel false
useprivilegedport no
verifyhostkeydns false
visualhostkey no
updatehostkeys false
canonicalizemaxdots 1
compressionlevel 6
connectionattempts 1
forwardx11timeout 1200
numberofpasswordprompts 3
serveralivecountmax 3
serveraliveinterval 0
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
kexalgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
loglevel DEBUG3
macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
xauthlocation /opt/X11/bin/xauth
identityfile ~/.ssh/id_rsa
identityfile ~/.ssh/id_dsa
identityfile ~/.ssh/id_ecdsa
identityfile ~/.ssh/id_ed25519
canonicaldomains
globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2
sendenv LANG
sendenv LC_*
connecttimeout none
tunneldevice any:any
controlpersist no
escapechar ~
ipqos lowdelay throughput
rekeylimit 0 0
streamlocalbindmask 0177

(忽略第一行的行号,我删除了一些注释以节省问题空间)用户应该是文件中指定的用户~/.ssh/config.d/metabolistics.conf,身份文件也应该是包含的配置文件中指定的文件。我无法发布文件的内容~/.ssh/config.d/metabolistics.conf,但它的格式与主文件完全相同~/.ssh/config,但没有任何其他包含内容。

我检查了权限并且它们对我来说看起来很好:

$ ls -lhRa ~/.ssh/config* 
-rw-------  1 camdennarzt  staff   541B  1 Jan 14:22 /Users/camdennarzt/.ssh/config

/Users/camdennarzt/.ssh/config.d:
total 32
drwxr-xr-x  6 camdennarzt  staff   204B  1 Jan 14:37 .
drwx------  9 camdennarzt  staff   306B  1 Jan 14:22 ..
-rw-------  1 camdennarzt  staff   260B  1 Jan 14:16 family.conf
-rw-------  1 camdennarzt  staff   303B  1 Jan 14:17 icloud.conf
-rw-------  1 camdennarzt  staff   524B  1 Jan 14:15 metabolistics.conf
-rw-------  1 camdennarzt  staff   1.6K  1 Jan 14:15 scanimetrics.conf

答案1

我自己找到了答案。线索就在ssh_config手册页中:

包括

包含指定的配置文件。可以指定多个路径名,每个路径名可以包含 glob(3) 通配符,对于用户配置,可以包含类似 shell 的“~”引用用户主目录。

如果文件包含在用户配置文件中,则假定该文件没有绝对路径,该文件位于 ~/.ssh 中;如果文件包含在系统配置文件中,则假定该文件位于 /etc/ssh 中。Include 指令可能出现在 Match 或 Host 块内,以执行条件包含。

我的Include声明尾随一条Host指令,因此它被包含在该主机的配置中。

答案2

如果在语句前面加上,则可以将Include语句留在文件末尾Match all。这将终止之前的 Host/Match,然后有条件地始终包含文件。因此,文件将以以下内容结尾:

Match all
Include config.d/*

答案3

事实上没有。

SSHCONF_NEVERMATCH这是标志使用中的一个短路错误。

我正在研究 diff 来修复混乱。包含应该可以到达任何地方(也可以递归),无论是主体还是 Host|Match 块内。

唯一棘手的一点是知道何时展开堆栈read_config_file_depth()并可以再次恢复处理 Host|Match。

我将发布到我的分支当我有东西的时候。

答案4

主要的配置文件大概是:

CheckHostIP yes
Host *
[Indent] [Here are some global configurations required by all hosts]
[line break]
Host github.com
[Indent][Some configurations]
[line break]
Include other configuration files

其他配置文件的内容为:

Host specific host name
[indent] Configuration of this host

此时其他配置文件无法生效,如果将主配置文件改为:

CheckHostIP yes
Host *
[Indent] [Here are some global configurations required by all hosts]
[line break]
Include other configuration files
[line break]
Host github.com
[Indent][Some configurations]

或者:

CheckHostIP yes
Include other configuration files
Host *
[Indent] [Here are some global configurations required by all hosts]
[line break]
Host github.com
[Indent][Some configurations]
[line break]

或者:

CheckHostIP yes
Host *
[Indent] [Here are some global configurations required by all hosts]
[line break]
Host github.com
[Indent][Some configurations]
[line break]
Match all
Include other configuration files

这样全局配置和其他配置文件才能生效。

正如@mestrelion 所说,我已经添加了缩进,但没有效果,对于调试毫无用处...嗯...

相关内容