Control: tags 959726 + patch On Thu 2020-11-05 20:26:30 -0800, Dmitry Borodaenko wrote: > If you can safely assume that /etc/ssh/sshd_config.d exists you can simply add > it to the list of files scanned for HostKey. > > --- > debian/openssh-server.postinst | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst > index f45f5851c..aa4bee899 100644 > --- a/debian/openssh-server.postinst > +++ b/debian/openssh-server.postinst > @@ -18,7 +18,7 @@ get_config_option() { > perl -lne ' > s/[[:space:]]+/ /g; s/[[:space:]]+$//; > print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ > - /etc/ssh/sshd_config > + /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* > } > > > -- > 2.29.2 Thanks for the suggested fix, Dmitry. I'm tagging this bug report as having an associated patch. Since the default line in /etc/ssh/sshd_config these days is: Include /etc/ssh/sshd_config.d/*.conf then i think the replacement line should also include the trailing .conf. That is: -------- diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index f45f5851c..aa4bee899 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst @@ -18,7 +18,7 @@ get_config_option() { perl -lne ' s/[[:space:]]+/ /g; s/[[:space:]]+$//; print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ - /etc/ssh/sshd_config + /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf } -------- In a simpler world, get_config_option() would be done by asking sshd itself to parse the configuration file and output it in normalized form directly: sshd -T | grep -i "^$option " | cut -f2- -d' ' But unfortunately, sshd -T aborts with a failure (and emits no parsed configuration at all) if no host keys can be found. I've submitted https://bugzilla.mindrot.org/show_bug.cgi?id=3460 upstream to suggest an improvement there, but even if that is adopted upstream, we can't rely on it until it's released. --dkg
Attachment:
signature.asc
Description: PGP signature