Bug#631189: openssh-server: sshd_config should support "include" directive

[Paul Wise]

On Tue, 21 Jun 2011 13:55:06 +0400 Алексей Малов wrote:

> I think, openssh-server should support "include" directive. I have a
> lot of sshd_config files that are mostly the same, except for some
> small differences. For example, ListenAddress could be different
> because a host has a bunch of virtual interfaces that ssh should not
> listen on. Also, it is very useful, when configure with systems like
> puppet.

This has now been merged upstream for OpenSSH 8.2:

https://bugzilla.mindrot.org/show_bug.cgi?id=2468#c24

It looks like the upstream patch does not have Include in the default
sshd_config, so it would be nice for Debian to have one like this, so
that sysadmins don't have to modify the default sshd_config.

Include /etc/ssh/sshd_config.d/*

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part

Bug#631189: openssh-server: sshd_config should support "include" directive

[Colin Watson]

Control: merge 631189 778675

On Mon, May 30, 2016 at 05:20:40AM +, Simon Law wrote:
> From: https://bugzilla.mindrot.org/show_bug.cgi?id=1585#c24
> 
> Damien Miller 2016-04-15 13:01:08 EST
> 
> Slightly modified patch applied, this will be in openssh-7.3
> 
> commit dc7990be865450574c7940c9880567f5d2555b37
> Author: d...@openbsd.org 
> Date:   Fri Apr 15 00:30:19 2016 +
> 
> upstream commit
> 
> Include directive for ssh_config(5); feedback & ok markus@

Note that this is only for the client side, not the server side, so that
was more relevant to #536031.  It unfortunately hasn't been implemented
on the server side yet, even upstream.

Merging with #778675, since that has a forwarded-to URL.

Thanks,

-- 
Colin Watson   [cjwat...@debian.org]

Bug#631189: openssh-server: sshd_config should support "include" directive

[Simon Law]

From: https://bugzilla.mindrot.org/show_bug.cgi?id=1585#c24

Damien Miller 2016-04-15 13:01:08 EST

Slightly modified patch applied, this will be in openssh-7.3

commit dc7990be865450574c7940c9880567f5d2555b37
Author: d...@openbsd.org 
Date:   Fri Apr 15 00:30:19 2016 +

upstream commit

Include directive for ssh_config(5); feedback & ok markus@

Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
commit 35f22dad263cce5c61d933ae439998cb965b8748
Author: d...@openbsd.org 
Date:   Fri Apr 15 00:31:10 2016 +

upstream commit

regression test for ssh_config Include directive

Upstream-Regress-ID: 46a38c8101f635461c506d1aac2d96af80f97f1e

Bug#631189: openssh-server: sshd_config should support include directive

[Алексей Малов]

Package: openssh-server
Version: 1:5.5p1-6
Severity: wishlist

*** Please type your report below this line ***
I think, openssh-server should support include directive. I have a
lot of sshd_config files that are mostly the same, except for some
small differences. For example, ListenAddress could be different
because a host has a bunch of virtual interfaces that ssh should not
listen on. Also, it is very useful, when configure with systems like
puppet.

-- System Information:
Debian Release: 6.0.1
  APT prefers stable
  APT policy: (900, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser 3.112+nmu2   add and remove users and groups
ii  debconf [debconf-2.0]   1.5.36.1 Debian configuration management sy
ii  dpkg1.15.8.10Debian package management system
ii  libc6   2.11.2-10Embedded GNU C Library: Shared lib
ii  libcomerr2  1.41.12-2common error description library
ii  libgssapi-krb5-21.8.3+dfsg-4 MIT Kerberos runtime libraries - k
ii  libkrb5-3   1.8.3+dfsg-4 MIT Kerberos runtime libraries
ii  libpam-modules  1.1.1-6.1Pluggable Authentication Modules f
ii  libpam-runtime  1.1.1-6.1Runtime support for the PAM librar
ii  libpam0g1.1.1-6.1Pluggable Authentication Modules l
ii  libselinux1 2.0.96-1 SELinux runtime shared libraries
ii  libssl0.9.8 0.9.8o-4squeeze1 SSL shared libraries
ii  libwrap07.6.q-19 Wietse Venema's TCP wrappers libra
ii  lsb-base3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii  openssh-blacklist   0.4.1list of default blacklisted OpenSS
ii  openssh-client  1:5.5p1-6secure shell (SSH) client, for sec
ii  procps  1:3.2.8-9/proc file system utilities
ii  zlib1g  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra   0.4.1  list of non-default blacklisted Op
ii  xauth 1:1.0.4-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard   none (no description available)
pn  rssh  none (no description available)
pn  ssh-askpass   none (no description available)
pn  ufw   none (no description available)

-- debconf information excluded

-- 
Alexey Malov



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#631189: openssh-server: sshd_config should support include directive

[Gergely Nagy]

Алексей Малов scukon...@gmail.com writes:

 I think, openssh-server should support include directive. I have a
 lot of sshd_config files that are mostly the same, except for some
 small differences. For example, ListenAddress could be different
 because a host has a bunch of virtual interfaces that ssh should not
 listen on. Also, it is very useful, when configure with systems like
 puppet.

I wished for an include directive quite a lot of times in the past, but
since then, ended up liking my workaround better: I use cpp to
preprocess my sshd configs before deployment, thus I automatically get
#include and a bunch of other stuff.

While it's not as convenient as sshd supporting Include by itself, it
works. And doesn't need any changes to openssh (implementing include
properly is not all that trivial, imo).

-- 
|8], a random user who just happened to stumble upon this wishlist
report.




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org