| Message ID | 20220818111703.1858-2-jlu@pengutronix.de |
|---|---|
| State | Accepted, archived |
| Commit | 70447c1680672bb4741a9e1c98aadc274e1ed5a0 |
| Headers | show |
| Series | [1/2] openssh: sync local ssh_config + sshd_config files with upstream 8.7p1 | expand |
On Thu, Aug 18, 2022 at 4:21 AM Jan Luebbe <jlu@pengutronix.de> wrote: > > This makes it simpler to set specific ssh/sshd config options by adding > snippet files to /etc/ssh/ssh_config.d/ or /etc/ssh/sshd_config.d/ > instead of modifying a copy of the full configuration file. As new > snippets can be added from separate recipes, targeted changes can be > done in multiple layers. > > These specific directories are also used in Debian's default > configuration. > > Signed-off-by: Jan Luebbe <jlu@pengutronix.de> > --- > meta/recipes-connectivity/openssh/openssh/ssh_config | 2 ++ > meta/recipes-connectivity/openssh/openssh/sshd_config | 2 ++ > 2 files changed, 4 insertions(+) > > diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config > index 05eecb465ff0..ca70f3737596 100644 > --- a/meta/recipes-connectivity/openssh/openssh/ssh_config > +++ b/meta/recipes-connectivity/openssh/openssh/ssh_config > @@ -17,6 +17,8 @@ > # list of available options, their meanings and defaults, please see the > # ssh_config(5) man page. > > +Include /etc/ssh/ssh_config.d/*.conf > + Generally looks ok. I wonder if this increases security concerns with such blanket includes. > Host * > ForwardAgent yes > ForwardX11 yes > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config > index 9c5380589013..e9eaf9315775 100644 > --- a/meta/recipes-connectivity/openssh/openssh/sshd_config > +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config > @@ -10,6 +10,8 @@ > # possible, but leave them commented. Uncommented options override the > # default value. > > +Include /etc/ssh/sshd_config.d/*.conf > + > #Port 22 > #AddressFamily any > #ListenAddress 0.0.0.0 > -- > 2.20.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#169519): https://lists.openembedded.org/g/openembedded-core/message/169519 > Mute This Topic: https://lists.openembedded.org/mt/93100986/1997914 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
> -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Khem Raj > Sent: den 18 augusti 2022 19:32 > To: Jan Luebbe <jlu@pengutronix.de> > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [OE-core][PATCH 2/2] openssh: add support for config snippet includes to ssh and sshd > > On Thu, Aug 18, 2022 at 4:21 AM Jan Luebbe <jlu@pengutronix.de> wrote: > > > > This makes it simpler to set specific ssh/sshd config options by adding > > snippet files to /etc/ssh/ssh_config.d/ or /etc/ssh/sshd_config.d/ > > instead of modifying a copy of the full configuration file. As new > > snippets can be added from separate recipes, targeted changes can be > > done in multiple layers. > > > > These specific directories are also used in Debian's default > > configuration. > > > > Signed-off-by: Jan Luebbe <jlu@pengutronix.de> > > --- > > meta/recipes-connectivity/openssh/openssh/ssh_config | 2 ++ > > meta/recipes-connectivity/openssh/openssh/sshd_config | 2 ++ > > 2 files changed, 4 insertions(+) > > > > diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config > > index 05eecb465ff0..ca70f3737596 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/ssh_config > > +++ b/meta/recipes-connectivity/openssh/openssh/ssh_config > > @@ -17,6 +17,8 @@ > > # list of available options, their meanings and defaults, please see the > > # ssh_config(5) man page. > > > > +Include /etc/ssh/ssh_config.d/*.conf > > + > Generally looks ok. > I wonder if this increases security concerns with such blanket includes. If you have the permissions to add a file to /etc/ssh/ssh_config.d or /etc/ssh/sshd_config.d, you could just as well modify /etc/ssh/ssh_config or /etc/ssh/sshd_config directly. > > Host * > > ForwardAgent yes > > ForwardX11 yes > > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config > > index 9c5380589013..e9eaf9315775 100644 > > --- a/meta/recipes-connectivity/openssh/openssh/sshd_config > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config > > @@ -10,6 +10,8 @@ > > # possible, but leave them commented. Uncommented options override the > > # default value. > > > > +Include /etc/ssh/sshd_config.d/*.conf > > + > > #Port 22 > > #AddressFamily any > > #ListenAddress 0.0.0.0 > > -- > > 2.20.1 //Peter
On Fri, 2022-08-19 at 09:57 +0000, Peter Kjellerstedt wrote: > > > +Include /etc/ssh/ssh_config.d/*.conf > > > + > > Generally looks ok. > > I wonder if this increases security concerns with such blanket includes. > > If you have the permissions to add a file to /etc/ssh/ssh_config.d or > /etc/ssh/sshd_config.d, you could just as well modify /etc/ssh/ssh_config > or /etc/ssh/sshd_config directly. This was my thinking as well. Thanks, Jan
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config index 05eecb465ff0..ca70f3737596 100644 --- a/meta/recipes-connectivity/openssh/openssh/ssh_config +++ b/meta/recipes-connectivity/openssh/openssh/ssh_config @@ -17,6 +17,8 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. +Include /etc/ssh/ssh_config.d/*.conf + Host * ForwardAgent yes ForwardX11 yes diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config index 9c5380589013..e9eaf9315775 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd_config +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config @@ -10,6 +10,8 @@ # possible, but leave them commented. Uncommented options override the # default value. +Include /etc/ssh/sshd_config.d/*.conf + #Port 22 #AddressFamily any #ListenAddress 0.0.0.0
This makes it simpler to set specific ssh/sshd config options by adding snippet files to /etc/ssh/ssh_config.d/ or /etc/ssh/sshd_config.d/ instead of modifying a copy of the full configuration file. As new snippets can be added from separate recipes, targeted changes can be done in multiple layers. These specific directories are also used in Debian's default configuration. Signed-off-by: Jan Luebbe <jlu@pengutronix.de> --- meta/recipes-connectivity/openssh/openssh/ssh_config | 2 ++ meta/recipes-connectivity/openssh/openssh/sshd_config | 2 ++ 2 files changed, 4 insertions(+)