Artem Russakovskii wrote: > For the last several releases (perhaps with the release of openssh 9?), > upgrading each version of openssh started wiping the current sshd_config > and replacing it with the default config, at least on OpenSUSE 15.4 via > zypper/yast. Your distribution package or packaging system does that, not OpenSSH. > I was thinking of ways to mitigate this and thought I'd move the config to > sshd_config.d/ in the hopes that it will be then called by the main config. > > However, two issues exist here, and I'm not sure how to resolve them. > > 1. "Subsystem 'sftp' already defined." since it's defined in sshd_config > and redefined in sshd_config.d/custom_config. > From what I can tell, this is supposed to be fixed by > https://groups.google.com/g/linux.debian.bugs.dist/c/jTXWWobiGpY Note that the bug report quotes a different sshd_config.5 man page than the upstream one. Upstream sshd_config.5 does *not* contain "/etc/ssh/sshd_config.d/*.conf files are included at the start ..." which debian seems to patch in. I can only recommend avoiding distribution packages, especially when discussing any issues here with upstream. > with this code https://bugzilla.mindrot.org > /attachment.cgi?id=3591&action=diff&collapsed=&headers=1&format=raw, but I > don't currently understand if it's released (I'm on openssh-9.3p2 and it > still throws the "Subsystem 'sftp' already defined" error) or when it will > be released. Would appreciate any clarity here. The patch is not included in any release and also not in current master. It's a straightforward patch that looks fine to me, maybe it will be included into master following your mail bump. Don't know if it could make it into the pending 9.4 release then, that may have been frozen. > 2. Even if the above is resolved, I think it still presents a problem > since the default sshd_config doesn't include this line "Include > sshd_config.d/*". If an upgrade removes it, then I'll still need to > manually add it every time. It seems debian adds an Include at the start of the config file, I guess you have to do something similar or something else.. > The config was never force-replaced prior to a few months ago (prior to > 9?). How is everyone else dealing with this problem? I don't use distribution patches and no packages/packaging that will mess with my configuration. I don't want to spend time on unnecessary problems created by distributions. //Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
