Control: tags 959726 + patch
On Thu 2020-11-05 20:26:30 -0800, Dmitry Borodaenko wrote:
> If you can safely assume that /etc/ssh/sshd_config.d exists you can simply add
> it to the list of files scanned for HostKey.
>
> ---
> debian/openssh-server.postinst | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
> index f45f5851c..aa4bee899 100644
> --- a/debian/openssh-server.postinst
> +++ b/debian/openssh-server.postinst
> @@ -18,7 +18,7 @@ get_config_option() {
> perl -lne '
> s/[[:space:]]+/ /g; s/[[:space:]]+$//;
> print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
> - /etc/ssh/sshd_config
> + /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
> }
>
>
> --
> 2.29.2
Thanks for the suggested fix, Dmitry. I'm tagging this bug report as
having an associated patch.
Since the default line in /etc/ssh/sshd_config these days is:
Include /etc/ssh/sshd_config.d/*.conf
then i think the replacement line should also include the trailing
.conf.
That is:
--------
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index f45f5851c..aa4bee899 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -18,7 +18,7 @@ get_config_option() {
perl -lne '
s/[[:space:]]+/ /g; s/[[:space:]]+$//;
print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
- /etc/ssh/sshd_config
+ /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
--------
In a simpler world, get_config_option() would be done by asking sshd
itself to parse the configuration file and output it in normalized form directly:
sshd -T | grep -i "^$option " | cut -f2- -d' '
But unfortunately, sshd -T aborts with a failure (and emits no parsed
configuration at all) if no host keys can be found.
I've submitted https://bugzilla.mindrot.org/show_bug.cgi?id=3460
upstream to suggest an improvement there, but even if that is adopted
upstream, we can't rely on it until it's released.
--dkg
Attachment:
signature.asc
Description: PGP signature