[Bug 2002994] Re: sshd_config makes some changes awkward

Christian Ehrhardt  2002994 at bugs.launchpad.net
Thu Jan 19 06:36:46 UTC 2023 

I agree as well, it is great that we have .d function at all, but it could be better.
As reported there is no control yet at what goes early or late and that would be a great enhancement. Just including it late isn't an easy option either as you might unintentionally to a different section that was at the end of the former config.

A bit of history:
- initially added via
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845315
  - https://salsa.debian.org/ssh-team/openssh/-/commit/cb37f2bf1
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862316
    (unclosed, but in theory adressed by the above)
- having some troubles to work
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961007
  - https://bugzilla.mindrot.org/show_bug.cgi?id=3122
- good but not yet as good as other .d config inclusions
  - this bug
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998834
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954965

Overall a problem that I see after going through all those is that some
settings seem to be "the earliest set wins" so including at the top is
good. And others are "overwritten by later statements" which asks for an
inclusion at the end of the file.

This needs to be analyzed, maybe the behavior changed over time or there
are different categories of settings? To do so I recommend to read
through those bugs, some have more examples and how to debug them. Once
that check is done one can propose a solution and it might very well be
what Kevin suggested here which is to put the main config into the .d
directory as well and include them in numerical order. That might not
solve/address the behavior of different statements, but at least it
would give full control to the admin without touching the package owned
config file.


Either way this is worth having a look, but needs more time than a usual bug fix.
Therefore I've added it to a set of ideas that we pick the most important ones from each Ubuntu release cycle. If anyone else wants to tackle this before we get to it - great, keep the bug updated in that case.

** Bug watch added: Debian Bug tracker #845315
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845315

** Bug watch added: Debian Bug tracker #862316
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862316

** Bug watch added: Debian Bug tracker #961007
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961007

** Bug watch added: OpenSSH Portable Bugzilla #3122
   https://bugzilla.mindrot.org/show_bug.cgi?id=3122

** Bug watch added: Debian Bug tracker #998834
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998834

** Bug watch added: Debian Bug tracker #954965
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954965

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2002994

Title:
  sshd_config makes some changes awkward

Status in openssh package in Ubuntu:
  Confirmed

Bug description:
  As distribted, the file sshd_config has apparently been modified from
  an upstream version -- those lines that are NOT comments.  There is no
  good way for me to change any of them, even though there is a
  sshd_config.d directory for my changes.  That is because the files in
  the sshd_config.d directory are invoked early, and the uncommented
  lines in the sshd_config file override them.  I would have to modify
  the sshd_config file which defeats the purpose of having the
  directory.

  I suggest to adopt a method that I have seen elsewhere: put all of
  your changes in a file and put the file in the .d directory.  Start
  the filename with something like '50' so that it can sort before or
  after any file contributed by the local admin.  Keep the sshd_config
  file as you get it from upstream.

  This is, after all, the reason that the .d directories exist.

  In this way, admins do not have to modify distributed files, which
  avoids awkwardness when the package is updated.

  The same applies to ssh_config.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: openssh-server 1:8.2p1-4ubuntu0.5
  ProcVersionSignature: Ubuntu 5.4.0-122.138-generic 5.4.192
  Uname: Linux 5.4.0-122-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.20.11-0ubuntu27.24
  Architecture: amd64
  CasperMD5CheckResult: skip
  CurrentDesktop: XFCE
  Date: Mon Jan 16 06:29:16 2023
  SourcePackage: openssh
  UpgradeStatus: Upgraded to focal on 2021-02-19 (696 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2002994/+subscriptions

More information about the foundations-bugs mailing list