Bug#982589: marked as done (installing openssh_server without /etc/ssh/sshd_config ?)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 15 Feb 2021 00:35:54 +0000
with message-id <20210215003554.GV13361@riva.ucam.org>
and subject line Re: Bug#982589: installing openssh_server without /etc/ssh/sshd_config ?
has caused the Debian Bug report #982589,
regarding installing openssh_server without /etc/ssh/sshd_config ?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
982589: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982589
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: "submit@bugs.debian.org" <submit@bugs.debian.org>
• Subject: installing openssh_server without /etc/ssh/sshd_config ?
• From: Harald Dunkel <harald.dunkel@aixigo.com>
• Date: Fri, 12 Feb 2021 09:19:01 +0100
• Message-id: <[🔎] feff8b8d-140a-8a71-7023-391d0b50e14b@aixigo.com>

Package: openssh-server
Version: 1:8.4p1-3
Severity: wishlist

sshd works very well without /etc/ssh/sshd_config, using just
the defaults, so I wonder if the openssh-server package should
provide /etc/ssh/sshd_config at all?

Providing and maintaining a (sparse) /etc/ssh/sshd_config could
be the responsibility of the local admin, if he likes to override
the default config. /usr/share/openssh/sshd_config would provide
a sample configuration.

This could help to avoid a lot of conflicts at upgrade time, esp.
for changed comment lines in /usr/share/openssh/sshd_config.

Just a suggestion, of course.

Regards
Harri

--- End Message ---

--- Begin Message ---

• To: Harald Dunkel <harald.dunkel@aixigo.com>, 982589-close@bugs.debian.org
• Subject: Re: Bug#982589: installing openssh_server without /etc/ssh/sshd_config ?
• From: Colin Watson <cjwatson@debian.org>
• Date: Mon, 15 Feb 2021 00:35:54 +0000
• Message-id: <20210215003554.GV13361@riva.ucam.org>
• In-reply-to: <[🔎] feff8b8d-140a-8a71-7023-391d0b50e14b@aixigo.com>
• References: <[🔎] feff8b8d-140a-8a71-7023-391d0b50e14b@aixigo.com>

Control: tag -1 wontfix

On Fri, Feb 12, 2021 at 09:19:01AM +0100, Harald Dunkel wrote:
> sshd works very well without /etc/ssh/sshd_config, using just
> the defaults, so I wonder if the openssh-server package should
> provide /etc/ssh/sshd_config at all?

While it may appear to minimally work, the default sshd_config includes
some policy (particularly enabling PAM, but also a few other things)
that are part of how sshd is supposed to run in Debian.  I don't intend
to ship sshd without that.

It's true that it would be technically possible to patch these into sshd
as modified server defaults, but (with the hopefully-temporary exception
of reverting some upstream IPQoS changes) this is not something we
generally prefer to do.  I have three reasons for this:

 * In my experience, our users tend to find compiled-in modifications
   less clear than having a default sshd_config that indicates the
   distribution's changes to sshd's defaults.

 * I would find it more effort to maintain such patches on an ongoing
   basis.

 * Some of Debian's defaults couldn't be reversed by an admin in
   sshd_config if they were compiled into sshd (in particular the
   changes to Include, AcceptEnv, and Subsystem), so keeping them in the
   configuration file is essential to make it possible for admins to
   undo these if they need to.

Thanks,

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

--- End Message ---