On 1/29/21 3:18 PM, Thorsten Kukuk wrote:
Hi, Distributors have one common problem: configuration files and updates. If a configuration file is modified by an user and the distributor mades changes to it, the package manager needs to decide which version of the configuration file should be used: the one of the admin or the one from the distributor. Independent of the decission, in worst case the service is broken until the admin merges the changes manually. Which is not that problem with a single system, but could be a lot of work for big clusters. There is now the include statement, which solves already many cases as the admin could put his changes in an extra file, but there are still some bigger issues. As an example for sshd_config: most Linux distributions added meanwhile an include statement to read at first files from /etc/ssh/sshd_config.d/* This works fine for directives like 'PermitRootLogin', where the first entry found wins. But you can have multiple AcceptEnv directives. And there is no way for an admin to change the distributor default without editing the config file itself, which again leads to update problems in the future. With ssh_config it's even more complicated: You can have multiple SendEnv directives, and you can change them later. This leads now to the situation, that you need two include directives: one on the beginning of the configuration file, which sets variables which could only be set once, and at the end, to remove and modify SendEnv. I don't know currently if there are more directives you cannot modify, so that the admin still has to modify the original file. I made a relativ small patch, which tries to follow the "systemd" behavior, which is meanwhile used by many more projects: - There is a distributor/vendor default configuration file in /usr/share/ssh - The admin can create his own configuration file in /etc/ssh - There is still the possibility to use the include statement to only override single directives. So if there is no admin provided configuration file, the vendor file from /usr/share/ssh is used. If there is an admin provided configuration file in /etc/ssh, this one will be used by default. Includes are only used from the configuration file which is really read. And if a distribution does not like this, it can still only ship the configuration files in /etc/ssh and there is no change in behavior. Attached is a patch which I'm using currently. I would like to see if upstream openssh would support this.
We use the simple Include directory as described above, where we ship our defaults. It is up to the admin to decide if they need to override some values to including their configuration file before our file (in lexicographical order) without breaking updates.
Even though your change looks like fitting better Linux FHS, it introduces a new complexity and quite huge change after 20+ years of history where the ssh configuration works as it works.
The discussion about SendEnv is was here recently in the following bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3247#c2 Regards, -- Jakub Jelen Senior Software Engineer Crypto Team, Security Engineering Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev