legacy-cli icon indicating copy to clipboard operation
legacy-cli copied to clipboard

Published 20 hours ago verified publisher icon platformsh

Generate a cleaner ssh config file

Open SphericalHam opened this issue 4 years ago • 5 comments

These changes make the config file generated a bit cleaner in some cases. It's also now possible to determine that no config need be generated at all.

SphericalHam avatar Aug 26 '20 03:08 SphericalHam

Theoretically none of the Host lines should be necessary, because the SSH manual says:

https://www.freebsd.org/cgi/man.cgi?ssh_config(5)

Include directive may appear inside a Match or Host block to perform conditional inclusion.

and the root ~/.ssh/config already wraps the Include inside a Host block.

I'm not sure if this conditional inclusion actually works.

pjcdawkins avatar Aug 31 '20 12:08 pjcdawkins

You're quite right, the entire file is only included for matching hosts - a quick look at the openssh source confirms that it does indeed work that way.

Personally, I think it's wise to avoid assuming that root ssh config is set in a particular way - the user is asked if the config should be modified, after all.

One thing I do with my ssh config files is to avoid inclusions at all. I do this because paramiko, the python ssh library, doesn't support inclusions in config files at all. Generally, when I manage config files, I use a script to join all config fragments together to form the final config file. This approach can play poorly with config fragments that have an empty host block at the end.

If we do assume that the file is included conditionally, we could do away with generating host blocks altogether - just use the match exec. I can re-work this PR for that if that's what we prefer.

SphericalHam avatar Sep 02 '20 03:09 SphericalHam

The match exec is only there if there is a cert.

Sounds like you'd need the file to end in Host *, then there isn't a risk from an empty host block? As well as the tidying you suggest

pjcdawkins avatar Sep 02 '20 07:09 pjcdawkins

I guess my thinking is kinda backwards.

If the file is included with openssh's Include directive, then it doesn't matter what Host blocks there are in the included file - the Host blocks only apply to that file.

If the file is concatenated the way I describe, then it sort of doesn't matter how the file ends - empty host block or not, the next file would have to start with a Host line to set the state to something known.

So I guess, then, that the only thing this does is generate a more tidy file.

SphericalHam avatar Sep 02 '20 08:09 SphericalHam

The Host *.platform.sh within this file (whether it's "empty" or not) will continue applying to any statements except those after another Host or Match, so if you're concatenating any SSH config files, you'll have unpredictable results. That's why it'd need Host * or Match all at the end

pjcdawkins avatar Sep 02 '20 21:09 pjcdawkins