Re: how to deploy common ssh_config and sshd_config settings on all hosts?

[Harald Dunkel <harald.dunkel@aixigo.de>]

Hi Andy,

On 02/02/17 11:17, Andy Smith wrote:
> 
> Also through the use of override config files that are included into
> the main config file, you can avoid being prompted about changes to
> the main config file. For sshd the config directive is "Include".
> 

Are you sure about this?

root@jessie2:/etc/ssh# /usr/sbin/sshd -d
/etc/ssh/sshd_config: line 90: Bad configuration option: Include
/etc/ssh/sshd_config: terminating, 1 bad configuration options

>> What would you consider best practice to keep your ssh hosts (>300)
>> in sync wrt the most important config optiones?
> 
> This is a classic use case for configuration management. You define
> your configuration externally, in one authoritative place, and the
> config management system takes care of applying that config to all
> your hosts.

Exactly. The central place in my case is a debian source package. It
provides binary meta-packages referencing other packages and some
/etc/service.d/local.conf files, extending the ususal /etc/service.conf
files provided by the service's binary package.

Please check the output of "find /etc -name \*.d" on your favorite
Debian box to see *how* wide this "Include" approach is in use. You
don't even imagine a package not supporting it.

Unfortunately openssh-server doesn't.

> 
> Popular examples are Puppet, Ansible and Chef, all of which are
> well-supported on Debian. To decide which is best for you will
> require some independent research as this is a big topic area and
> hard to generalise.
> 

They are supported on Debian, but are they supported *by* Debian
as well? Won't I have to expect conflicts with Debian's dpkg
infrastructure?

Of course I will look into the config management tools you suggested.


Thanx very much for your detailed response
Harri