[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1023509: marked as done (openssh-server: suggestion about (default) sshd_config and sshd_config.d)

Your message dated Sat, 5 Nov 2022 21:02:35 +0000
with message-id <Y2bPa4MR1TV89K06@riva.ucam.org>
and subject line Re: Bug#1023509: openssh-server: suggestion about (default) sshd_config and sshd_config.d
has caused the Debian Bug report #1023509,
regarding openssh-server: suggestion about (default) sshd_config and sshd_config.d
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1023509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023509
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-server
Version: 1:9.0p1-1+b2
Severity: wishlist

Dear Maintainer,

I think the current state is a bit confusing because the Include directive is
at the very beguining of the file before some commented (default) setting that
could suggest administrator to edit there.

And so, doing this, does this override any sshd_config.d contents?

If it is just some sort of self-documented for the Debian default setting, it
could be elsewhere, no?

Why not then providing an almost empty sshd_config that just includes
sshd_config.d and have a sample file in this folder with all the current
commented content.

Regards,
Patrice


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-0-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                    3.129
ii  debconf [debconf-2.0]      1.5.79
ii  dpkg                       1.21.9+b1
ii  init-system-helpers        1.65.2
ii  libaudit1                  1:3.0.7-1.1+b1
ii  libc6                      2.36-4
ii  libcom-err2                1.46.6~rc1-1+b1
ii  libcrypt1                  1:4.4.30-1
ii  libgssapi-krb5-2           1.20-1+b1
ii  libkrb5-3                  1.20-1+b1
ii  libpam-modules             1.5.2-5
ii  libpam-runtime             1.5.2-5
ii  libpam0g                   1.5.2-5
ii  libselinux1                3.4-1+b2
ii  libssl3                    3.0.7-1
ii  libsystemd0                252-2
ii  libwrap0                   7.6.q-31
ii  openssh-client             1:9.0p1-1+b2
ii  openssh-sftp-server        1:9.0p1-1+b2
ii  procps                     2:3.3.17-7.1
ii  runit-helper               2.15.0
ii  sysvinit-utils [lsb-base]  3.05-6
ii  ucf                        3.0043
ii  zlib1g                     1:1.2.11.dfsg-4.1

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  252-2
ii  ncurses-term             6.3+20220423-2
ii  xauth                    1:1.1.1-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Control: tag -1 wontfix

On Sat, Nov 05, 2022 at 06:32:25PM +0100, Patrice Duroux wrote:
> I think the current state is a bit confusing because the Include directive is
> at the very beguining of the file before some commented (default) setting that
> could suggest administrator to edit there.
> 
> And so, doing this, does this override any sshd_config.d contents?

See "man sshd_config":

    For each keyword, the first obtained value will be used.

    [...]

    /etc/ssh/sshd_config.d/*.conf files are included at the start of the
    configuration file, so options set there will override those in
    /etc/ssh/sshd_config.

The behaviour of Include does sometimes confuse people, but it's the way
it's designed upstream and wouldn't be sensible to change now.  Given
its behaviour, the current layout is the only way it can sensibly work.

> If it is just some sort of self-documented for the Debian default setting, it
> could be elsewhere, no?
> 
> Why not then providing an almost empty sshd_config that just includes
> sshd_config.d and have a sample file in this folder with all the current
> commented content.

It's intentionally mainly the upstream file with just a few
Debian-specific tweaks.  I don't really see an advantage to the
rearrangement you suggest, and it would cause annoying churn to people's
configuration file maintenance; closing.

And from your follow-up message:

> My motivation here is related to the point 1. of the following issue:
> https://github.com/EXALAB/AnLinux-App/issues/397
> The current is to overwrite the /etc/ssh/sshd_config by a file that contents
> only:
> PermitRootLogin yes
> 
> So putting that file in /etc/ssh/sshd_config.d should do the job
> but I don't know what could be the result if the /etc/ssh/sshd_config content
> the opposite in the following of the Include directive.

As explained in "man sshd_config", if you add any
/etc/ssh/sshd_config.d/*.conf files then they will override
/etc/ssh/sshd_config.

Thanks,

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

--- End Message ---
Reply to: