First property value in config should win

Only the first value of MaxStartups, PerSourceNetBlockSize and IPQoS in sshd_config should count when defined multiple times Resolves: RHEL-150365 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2026-03-12 12:46:12 +01:00 · 2026-03-12 12:46:12 +01:00 · 394f1022a0
commit 394f1022a0
parent 0a7a052f87
2 changed files with 116 additions and 0 deletions
--- a/openssh-9.9p1-first-match-wins.patch
+++ b/openssh-9.9p1-first-match-wins.patch
@ -0,0 +1,106 @@
+diff --color -ruNp a/regress/cfgparse.sh b/regress/cfgparse.sh
+--- a/regress/cfgparse.sh	2024-09-20 00:20:48.000000000 +0200
+++ b/regress/cfgparse.sh	2026-03-05 17:30:54.959690744 +0100
+@@ -51,7 +51,7 @@ listenaddress ::1
+ EOD
+ 
+ ($SUDO ${SSHD} -T -f $OBJ/sshd_config.1 | \
+- grep 'listenaddress ' >$OBJ/sshd_config.2 &&
+ grep '^listenaddress ' >$OBJ/sshd_config.2 &&
+  diff $OBJ/sshd_config.0 $OBJ/sshd_config.2) || \
+  fail "listenaddress order 1"
+ # test 2: listenaddress first
+@@ -67,9 +67,22 @@ listenaddress ::1
+ EOD
+ 
+ ($SUDO ${SSHD} -T -f $OBJ/sshd_config.1 | \
+- grep 'listenaddress ' >$OBJ/sshd_config.2 &&
+ grep '^listenaddress ' >$OBJ/sshd_config.2 &&
+  diff $OBJ/sshd_config.0 $OBJ/sshd_config.2) || \
+  fail "listenaddress order 2"
+ 
+# Check idempotence of MaxStartups
+verbose "maxstartups idempotent"
+echo "maxstartups 1:2:3" > $OBJ/sshd_config.0
+cat > $OBJ/sshd_config.1 <<EOD
+${SSHD_KEYS}
+MaxStartups 1:2:3
+MaxStartups 8:16:32
+EOD
+($SUDO ${SSHD} -T -f $OBJ/sshd_config.1 | \
+ grep '^maxstartups ' >$OBJ/sshd_config.2 &&
+ diff $OBJ/sshd_config.0 $OBJ/sshd_config.2) || \
+ fail "maxstartups idempotence"
+
+ # cleanup
+ rm -f $OBJ/sshd_config.[012]
+diff --color -ruNp a/servconf.c b/servconf.c
+--- a/servconf.c	2026-03-05 16:15:49.035275297 +0100
+++ b/servconf.c	2026-03-05 17:13:29.915897329 +0100
+@@ -1366,7 +1366,7 @@ process_server_config_line_depth(ServerO
+     struct include_list *includes)
+ {
+ 	char *str, ***chararrayptr, **charptr, *arg, *arg2, *p, *keyword;
+-	int cmdline = 0, *intptr, value, value2, n, port, oactive, r;
+	int cmdline = 0, *intptr, value, value2, value3, n, port, oactive, r;
+ 	int ca_only = 0, found = 0;
+ 	SyslogFacility *log_facility_ptr;
+ 	LogLevel *log_level_ptr;
+@@ -2095,25 +2095,27 @@ process_server_config_line_depth(ServerO
+ 		if (!arg || *arg == '\0')
+ 			fatal("%s line %d: %s missing argument.",
+ 			    filename, linenum, keyword);
+		/* begin:rate:max */
+ 		if ((n = sscanf(arg, "%d:%d:%d",
+-		    &options->max_startups_begin,
+-		    &options->max_startups_rate,
+-		    &options->max_startups)) == 3) {
+-			if (options->max_startups_begin >
+-			    options->max_startups ||
+-			    options->max_startups_rate > 100 ||
+-			    options->max_startups_rate < 1)
+		    &value, &value2, &value3)) == 3) {
+			if (value > value3 || value2 > 100 || value2 < 1)
+ 				fatal("%s line %d: Invalid %s spec.",
+ 				    filename, linenum, keyword);
+-		} else if (n != 1)
+		} else if (n == 1) {
+			value3 = value;
+			value = value2 = -1;
+		} else {
+ 			fatal("%s line %d: Invalid %s spec.",
+ 			    filename, linenum, keyword);
+-		else
+-			options->max_startups = options->max_startups_begin;
+-		if (options->max_startups <= 0 ||
+-		    options->max_startups_begin <= 0)
+		}
+		if (value3 <= 0 || (value2 != -1 && value <= 0))
+ 			fatal("%s line %d: Invalid %s spec.",
+ 			    filename, linenum, keyword);
+		if (*activep && options->max_startups == -1) {
+			options->max_startups_begin = value;
+			options->max_startups_rate = value2;
+			options->max_startups = value3;
+		}
+ 		break;
+ 
+ 	case sPerSourceNetBlockSize:
+@@ -2133,7 +2135,7 @@ process_server_config_line_depth(ServerO
+ 		if (n != 1 && n != 2)
+ 			fatal("%s line %d: Invalid %s spec.",
+ 			    filename, linenum, keyword);
+-		if (*activep) {
+		if (*activep && options->per_source_masklen_ipv4 == -1) {
+ 			options->per_source_masklen_ipv4 = value;
+ 			options->per_source_masklen_ipv6 = value2;
+ 		}
+@@ -2621,7 +2623,7 @@ process_server_config_line_depth(ServerO
+ 		else if ((value2 = parse_ipqos(arg)) == -1)
+ 			fatal("%s line %d: Bad %s value: %s",
+ 			    filename, linenum, keyword, arg);
+-		if (*activep) {
+		if (*activep && options->ip_qos_interactive == -1) {
+ 			options->ip_qos_interactive = value;
+ 			options->ip_qos_bulk = value2;
+ 		}
--- a/openssh.spec
+++ b/openssh.spec
@ -228,6 +228,12 @@ Patch1033: openssh-9.9p1-reject-null-char-in-url-string.patch
 Patch1034: openssh-9.9p1-sshd-no-delegate-credentials.patch
 Patch1035: openssh-10.0-mlkem-nist-fips.patch
 Patch1036: openssh-9.9p1-gssapi-s4u.patch
+# upstream 683d0abe596b069a896f1688f86256f1beeb0cdc
+# upstream 9313233a735733821dfd170b70782fb7da492962
+# upstream 2b0f4a72bd87bef7cc9f0a1889cfc98545cbb158
+# upstream 19f7cb39eecb4b8f768f37e8294dc3a9142e022b
+# upstream 97b32fa2af25c16aec4de85c5cbb63fd038b4dfa
+Patch1037: openssh-9.9p1-first-match-wins.patch

 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@ -428,6 +434,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 1034 -p1 -b .sshd-nogsscreds
 %patch -P 1035 -p1 -b .mlkem-nist-fips
 %patch -P 1036 -p1 -b .gssapi-s4u
+%patch -P 1037 -p1 -b .first-match-wins

 %patch -P 100 -p1 -b .coverity

@ -711,6 +718,9 @@ test -f %{sysconfig_anaconda} && \
 * Thu Mar 12 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-22
 - Remove recommendation of p11-kit
  Resolves: RHEL-139070
+- Only the first value of MaxStartups, PerSourceNetBlockSize and IPQoS
+  in sshd_config should count when defined multiple times
+  Resolves: RHEL-150365

 * Wed Mar 11 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-21
 - Implement obtaining Kerberos tickets on behalf of user on SSH authentication