RE: [OE-core][PATCH 2/2] openssh: add support for config snippet includes to ssh and sshd

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
To: Khem Raj <raj.khem@gmail.com>, Jan Luebbe <jlu@pengutronix.de>
Cc: "openembedded-core@lists.openembedded.org"
	<openembedded-core@lists.openembedded.org>
Subject: RE: [OE-core][PATCH 2/2] openssh: add support for config snippet includes to ssh and sshd
Date: Fri, 19 Aug 2022 09:57:24 +0000	[thread overview]
Message-ID: <fbcb8ef91eb74bcc883dc6e5d4924251@axis.com> (raw)
In-Reply-To: <CAMKF1spo5nbjvHpxsyff3_dv7Da7a0YP-vkSLXg16D1jHmS78w@mail.gmail.com>

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Khem Raj
> Sent: den 18 augusti 2022 19:32
> To: Jan Luebbe <jlu@pengutronix.de>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][PATCH 2/2] openssh: add support for config snippet includes to ssh and sshd
> 
> On Thu, Aug 18, 2022 at 4:21 AM Jan Luebbe <jlu@pengutronix.de> wrote:
> >
> > This makes it simpler to set specific ssh/sshd config options by adding
> > snippet files to /etc/ssh/ssh_config.d/ or /etc/ssh/sshd_config.d/
> > instead of modifying a copy of the full configuration file. As new
> > snippets can be added from separate recipes, targeted changes can be
> > done in multiple layers.
> >
> > These specific directories are also used in Debian's default
> > configuration.
> >
> > Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> > ---
> >  meta/recipes-connectivity/openssh/openssh/ssh_config  | 2 ++
> >  meta/recipes-connectivity/openssh/openssh/sshd_config | 2 ++
> >  2 files changed, 4 insertions(+)
> >
> > diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
> > index 05eecb465ff0..ca70f3737596 100644
> > --- a/meta/recipes-connectivity/openssh/openssh/ssh_config
> > +++ b/meta/recipes-connectivity/openssh/openssh/ssh_config
> > @@ -17,6 +17,8 @@
> >  # list of available options, their meanings and defaults, please see the
> >  # ssh_config(5) man page.
> >
> > +Include /etc/ssh/ssh_config.d/*.conf
> > +
> Generally looks ok.
> I wonder if this increases security concerns with such blanket includes.

If you have the permissions to add a file to /etc/ssh/ssh_config.d or 
/etc/ssh/sshd_config.d, you could just as well modify /etc/ssh/ssh_config 
or /etc/ssh/sshd_config directly.

> >  Host *
> >    ForwardAgent yes
> >    ForwardX11 yes
> > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
> > index 9c5380589013..e9eaf9315775 100644
> > --- a/meta/recipes-connectivity/openssh/openssh/sshd_config
> > +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
> > @@ -10,6 +10,8 @@
> >  # possible, but leave them commented.  Uncommented options override the
> >  # default value.
> >
> > +Include /etc/ssh/sshd_config.d/*.conf
> > +
> >  #Port 22
> >  #AddressFamily any
> >  #ListenAddress 0.0.0.0
> > --
> > 2.20.1

//Peter

next prev parent reply	other threads:[~2022-08-19  9:57 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-18 11:17 [OE-core][PATCH 1/2] openssh: sync local ssh_config + sshd_config files with upstream 8.7p1 Jan Luebbe
2022-08-18 11:17 ` [OE-core][PATCH 2/2] openssh: add support for config snippet includes to ssh and sshd Jan Luebbe
2022-08-18 17:31   ` Khem Raj
2022-08-19  9:57     ` Peter Kjellerstedt [this message]
2022-08-19 12:37       ` Jan Lübbe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fbcb8ef91eb74bcc883dc6e5d4924251@axis.com \
    --to=peter.kjellerstedt@axis.com \
    --cc=jlu@pengutronix.de \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=raj.khem@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.