What were you trying to do that didn't work?

Requested that the following fix[1] be backported (cherry pick) to sshd for use with RHOCP4.16 (based on RHEL9.4).

[1] https://github.com/openssh/openssh-portable/commit/52dfe3c72d98503d8b7c6f64fc7e19d685636c0b

[Background]

As of now, /etc/ssh/sshd_config in RHOCP4.16 (based on RHEL9.4) has the following lines:

1. grep -nE "Include|Subsystem" /etc/ssh/sshd_config
   15:Include /etc/ssh/sshd_config.d/*.conf
   123:Subsystem sftp /usr/libexec/openssh/sftp-server

There are two possible ways for a RHOCP customer to change the sftp log level:

1. Edit "/etc/ssh/sshd_config" file directly.

However, in this case, a problem like https://access.redhat.com/solutions/7030537 happens when upgrading OCP cluster.
Therefore, direct editing of sshd_config should be avoided if possible.

2. Change sftp settings using the “Include” feature.

For example, create a file named /etc/ssh/sshd.config.d/90-sftp.conf with the following contents

Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL5 -l INFO

Normal configuration changes work fine this way, but Subsystem configuration changes result in the following error and sshd terminates abnormally.

/etc/ssh/sshd_config line 123: Subsystem 'sftp' already defined.

Therefore, we request to backport(cherry pick) the following fix[1] into sshd for use with RHOCP4.16 (based on RHEL9.4).
After that, even if duplicate subsystems are configured, sshd will ignore them without exiting with an error.
(The ignored settings are displayed as debug messages.)

3. Why does the customer need this? (List the business requirements here)

Our customer needs to change the loglevel of sftp of their cluster.
Currently, the only way to do this is to edit sshd_config directly, however, it can cause problems such as https://access.redhat.com/solutions/7030537.
To reduce the possibility of problems caused by configuration changes, we would like to backport the fixe[1] (introduced in OpenSSH 9.5) into the RHOCP 4.16 environment.

While one might think that this is due to a special situation in the RHOCP environment, it is a fix that has already been applied in the upstream version, allowing for more flexibility in its use.

Please provide the package NVR for which bug is seen:

openssh-8.7p1-38.el9_4.4.src.rpm

How reproducible:

Add another Subsystem line(A) before the following Subsystem line(B) in the /etc/ssh/sshd_config file

(A) Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL5 -l INFO
(B) Subsystem sftp /usr/libexec/openssh/sftp-server

Expected results

Even if there are multiple Subsystem lines for the same (e.g. "sftp"), sshd will display the following debug message (just ignore the later Subsystem lines) and continue run.

/etc/ssh/sshd_config line XXX: Subsystem 'sftp' already defined.

Actual results

If there are multiple Subsystem lines for the same (e.g. "sftp"), sshd will exit abnormally with the following message.

/etc/ssh/sshd_config line XXX: Subsystem 'sftp' already defined.