Re: [PATCH] introduce vendordir for easier config file update

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 1/29/21 3:18 PM, Thorsten Kukuk wrote:

Hi,

Distributors have one common problem: configuration files and updates.

If a configuration file is modified by an user and the distributor mades
changes to it, the package manager needs to decide which version of the
configuration file should be used: the one of the admin or the one from
the distributor. Independent of the decission, in worst case the service
is broken until the admin merges the changes manually. Which is not that
problem with a single system, but could be a lot of work for big clusters.

There is now the include statement, which solves already many cases as
the admin could put his changes in an extra file, but there are still
some bigger issues.

As an example for sshd_config: most Linux distributions added meanwhile an
include statement to read at first files from /etc/ssh/sshd_config.d/*
This works fine for directives like 'PermitRootLogin', where the first entry
found wins. But you can have multiple AcceptEnv directives. And there is no
way for an admin to change the distributor default without editing the
config file itself, which again leads to update problems in the future.

With ssh_config it's even more complicated: You can have multiple SendEnv
directives, and you can change them later. This leads now to the situation,
that you need two include directives: one on the beginning of the
configuration file, which sets variables which could only be set once,
and at the end, to remove and modify SendEnv. I don't know currently if
there are more directives you cannot modify, so that the admin still has
to modify the original file.

I made a relativ small patch, which tries to follow the "systemd" behavior,
which is meanwhile used by many more projects:

- There is a distributor/vendor default configuration file in /usr/share/ssh
- The admin can create his own configuration file in /etc/ssh
- There is still the possibility to use the include statement to only override
   single directives.

So if there is no admin provided configuration file, the vendor file from
/usr/share/ssh is used. If there is an admin provided configuration file
in /etc/ssh, this one will be used by default.

Includes are only used from the configuration file which is really read.
And if a distribution does not like this, it can still only ship the
configuration files in /etc/ssh and there is no change in behavior.

Attached is a patch which I'm using currently. I would like to see if
upstream openssh would support this.

We use the simple Include directory as described above, where we ship our defaults. It is up to the admin to decide if they need to override some values to including their configuration file before our file (in lexicographical order) without breaking updates.

Even though your change looks like fitting better Linux FHS, it introduces a new complexity and quite huge change after 20+ years of history where the ssh configuration works as it works.

The discussion about SendEnv is was here recently in the following bug:

https://bugzilla.mindrot.org/show_bug.cgi?id=3247#c2

Regards,
--
Jakub Jelen
Senior Software Engineer
Crypto Team, Security Engineering
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux