chef-ssh icon indicating copy to clipboard operation
chef-ssh copied to clipboard

Published 20 hours ago verified publisher icon markolson

ssh_config blocks should be prepended to /etc/ssh/ssh_config

Open neilmb opened this issue 9 years ago • 2 comments

Because new Host stanzas are placed by this cookbook at the end of the file, those cannot be used to override any defaults that are present in a Host * block at the beginning of /etc/ssh/ssh_config.

man ssh_config says "Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end."

For example, if StrictHostKeyChecking ask is set in Host *, then it is impossible to turn it off with

ssh_config 'github.com' do
  options StrictHostKeyChecking: 'no'
end

I think that the ssh_config resource should add its blocks before entries that are already in the ssh_config file to make this override behavior possible.

Currently, to override defaults given in a Host * block, a workaround is required: first do

ssh_config '*' do
  action :remove
end

neilmb avatar Jan 18 '16 21:01 neilmb

@neilmb sorry to have neglected this so long, I've been overwhelmed with other priorities. Unfortunately, what you are asking here is a breaking change. While you would like (understandably) to have entries pre-pended, others may be depending on the current behavior. Changing it will break people's code.

What I would propose is that we add a 'priority' attribute to the resource, default to a priority of 50, and then sort by priority. This would allow you more control while leaving the current behavior as the default.
Each entry's priority would then be added as a comment on the line so that it would be maintained over time. Entries missing a priority comment would be defaulted to 50 Unfortunately, I do not have time to code up such a change at this time, and probably won't for the next few months. I would be more than happy to accept a PR if you're open to tackling this, otherwise I can only ask that you be patient.

tejaycar avatar Feb 22 '16 16:02 tejaycar

I can see where this would be a breaking change. The fundamental issue is that stanzas in ssh_config are ordered in their effect, but the current setup doesn't have any way to control the ordering. I think that adding "priority" is a reasonable bridge between the existing behavior and one that has a sense of order.

I have a workaround right now, so a PR is down on my priority list, but I will try to get to it when I can.

neilmb avatar Feb 22 '16 16:02 neilmb