+++ This bug was initially created as a clone of Bug #1109251 +++

Description of problem:

sshd -T does:

     -T      Extended test mode.  Check the validity of the configuration file, output the effective configuration to stdout and then exit.  Optionally,
             Match rules may be applied by specifying the connection parameters using one or more -C options.

the problem is it does not show all efective configuration. little annoying.

- default Cipher:

# grep Cipher /etc/ssh/sshd_config 
#Ciphers aes192-ctr
# /usr/sbin/sshd -T | grep -i cipher
#

- overriden Cipher:

# grep Cipher /etc/ssh/sshd_config 
Ciphers aes192-ctr
# /usr/sbin/sshd -T | grep -i cipher
ciphers aes192-ctr

ha, one could think that default values are not shown but this is not the case:

- UseLogin example (by default 'no)

# grep UseLogin /etc/ssh/sshd_config 
#UseLogin no
# /usr/sbin/sshd -T | grep -i uselogin
uselogin no
# man sshd_config | col -b | sed -n '/UseLogin/,/^$/p'
     UseLogin
             Specifies whether login(1) is used for interactive login ses-
             sions.  The default is “no”.  Note that login(1) is never used
             for remote command execution.  Note also, that if this is
             enabled, X11Forwarding will be disabled because login(1) does not
             know how to handle xauth(1) cookies.  If UsePrivilegeSeparation
             is specified, it will be disabled after authentication.

             forwarders.  X11 forwarding is automatically disabled if UseLogin
             is enabled.

so why does it show some default options and some not? inconsistent.

Version-Release number of selected component (if applicable):
openssh-server-5.3p1-94.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. sshd -T | grep uselogin
2. sshd -T | grep cipher
3.

Actual results:
1. shows default value
2. not output for default value, the option even not displayed

Expected results:
consistency, show values for all options even they are default

Additional info:

--- Additional comment from Jakub Jelen on 2015-01-21 11:05:53 CET ---

I would say, that there are default values and "internal default values". Default values are set to their default values and then overwritten by config, because it is usually some boolean or simple string, that can be used by all the code.
Internal default values (ex. Ciphers, Macs, KexAlgorithms and some paths) are set default to null and they are handled only in exact places in code, because they are more specific.

As I browse through the code. This also apply for upstream package, so this is not some invention of us.

This can be little annoying so I propose patch to pull default values if they are not set at least in this dump_config mode.

Completely missing values:
 * GssKeyEx
 * GssStrictAcceptor
 * GssStoreRekey
 * AllowAgentForwarding
 * RequiredAuthentications1
 * RequiredAuthentications2

Values that output only if they are (re)defined in sshd_config:
 * Ciphers
 * Macs
 * KexAlgorithms
 * Banner
 * ForceCommand
 * ChrootDirectory
 * TrustedUserCAKeys
 * RevokedKeys
 * AuthorizedPrincipalsFile
 * AuthorizedKeysCommand
 * AuthorizedKeysCommandRunAs

I added missing values, and for values printing only it there was some redefinition I wrote new function to print also some default value (usually none or disabled). See proposed patch.
I hope this will be more convenient for you.

--- Additional comment from Jakub Jelen on 2015-01-29 18:45:41 CET ---

After some more thinking about this bug, I came up with some compromise solution. There is no reason to write all the options with parameter <NONE> or <EMPTY>, if there is not default value (or default value is empty), especially when the output of sshd -T can be used to generate new config file and this would break it

But I can't say that all the options were written out correctly, so I had to fix some:
 * HostCertificate was written wrong way
 * Banner was not written if it was not set (now writing "none")
 * AllowAgentForwarding was not written
 * GSSAPIKeyExchange, GSSAPIStrictAcceptorCheck, GSSAPIStoreCredentialsOnRekey were not written
 * UsePAM was written wrong way
 * RequiredAuthentications1 was missing
 * Ciphers, Macs, KexAlgorithms can be little bit misleading so I send them to output also

This ended my research and comparing manual pages with actual behaviour. I hope this will be acceptable for you, Jiri. If you have some more comments, I'm all ears.