Re: how to deploy common ssh_config and sshd_config settings on all hosts?
Hi Harald,
On Thu, Feb 02, 2017 at 09:40:48AM +0100, Harald Dunkel wrote:
> Problem: Deploying a custom ssh authentication scheme common to
> all Debian hosts in the lan appears to be apita, esp. since the
> next openssh upgrade might put the default config files upside
> down again.
When you do an upgrade, apt is smart enough to notice that you have
edited a config file and will ask you if you want to replace your
changes with the new version of the file from the package. You can
also view the differences, etc.
I am not saying this is a solution to your issue, merely pointing
out that the overwrite would not happen silently, so you can take
come comfort in that.
Also through the use of override config files that are included into
the main config file, you can avoid being prompted about changes to
the main config file. For sshd the config directive is "Include".
> What would you consider best practice to keep your ssh hosts (>300)
> in sync wrt the most important config optiones?
This is a classic use case for configuration management. You define
your configuration externally, in one authoritative place, and the
config management system takes care of applying that config to all
your hosts.
Popular examples are Puppet, Ansible and Chef, all of which are
well-supported on Debian. To decide which is best for you will
require some independent research as this is a big topic area and
hard to generalise.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: