Re: how to deploy common ssh_config and sshd_config settings on all hosts?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Feb 06, 2017 at 09:45:36AM +0100, Harald Dunkel wrote: > Hi Andy, > > On 02/02/17 17:43, Andy Smith wrote: > > Hi Harald, > > > > On Thu, Feb 02, 2017 at 02:50:09PM +0100, Harald Dunkel wrote: > >> > >> Exactly. The central place in my case is a debian source package. It > >> provides binary meta-packages referencing other packages and some > >> /etc/service.d/local.conf files, extending the ususal /etc/service.conf > >> files provided by the service's binary package. > > > > If you are making your own Debian packages with all of your custom > > config already in them, then you could just put them in your own apt > > repository and point all your machines there. But you must have > > already thought of this so there must be some reason why that > > solution is not acceptable… > > > > I already have these common packages in a local repository. They > Provide some common config settings, e.g. for exim4, rsyslog, > logrotate, local certificates, fonts, etc. Most important: They > depend on and recommend large lists of packages, helping to keep > all hosts in sync. > > For openssh I have the problem that I can only override the whole > ssh_config and sshd_config files. I cannot *extend* them. I had > hoped to avoid the dpkg-divert. You might try to patch (and unpatch, and make sure all of this is idempotent) your config in the maintainer scripts. Not completely trivial, but sounds doable (at least "well enough"). A big help in this might be the package "cme": its purpose is to "understand" and "edit" configuration files in many formats. That would mean some dependencies for you, of course. (I haven't used CME yet, but by what I've seen it seems to be pretty Well Done (TM)) Regards - -- tomás -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAliYQSoACgkQBcgs9XrR2kaf3ACfYyZwvKBdqFWahw7SrusZBkxY R40An1nmpNEfHkJPd2zn9I1wHnTQM65l =xL8c -END PGP SIGNATURE-
Re: how to deploy common ssh_config and sshd_config settings on all hosts?
Hi Andy, On 02/02/17 17:43, Andy Smith wrote: > Hi Harald, > > On Thu, Feb 02, 2017 at 02:50:09PM +0100, Harald Dunkel wrote: >> >> Exactly. The central place in my case is a debian source package. It >> provides binary meta-packages referencing other packages and some >> /etc/service.d/local.conf files, extending the ususal /etc/service.conf >> files provided by the service's binary package. > > If you are making your own Debian packages with all of your custom > config already in them, then you could just put them in your own apt > repository and point all your machines there. But you must have > already thought of this so there must be some reason why that > solution is not acceptable… > I already have these common packages in a local repository. They Provide some common config settings, e.g. for exim4, rsyslog, logrotate, local certificates, fonts, etc. Most important: They depend on and recommend large lists of packages, helping to keep all hosts in sync. For openssh I have the problem that I can only override the whole ssh_config and sshd_config files. I cannot *extend* them. I had hoped to avoid the dpkg-divert. Regards Harri
Re: how to deploy common ssh_config and sshd_config settings on all hosts?
On Thursday, 2 February 2017 09:40:48 CET Harald Dunkel wrote: > Problem: Deploying a custom ssh authentication scheme common to > all Debian hosts in the lan appears to be apita, esp. since the > next openssh upgrade might put the default config files upside > down again. Another possibility is to systematically keep you own version of sshd_config and perform the upgrade later with `cme migrate sshd` [1]. That said I've not found the time to keep up with the latest version of ssh configuration and cme works with openssh 6. Some work is needed to update cme with new parameters and contraints brought by openssh 7. I could use some help there. All the best [1] https://github.com/dod38fr/config-model/wiki/Managing-ssh-configuration-with-cme -- https://github.com/dod38fr/ -o- http://search.cpan.org/~ddumont/ http://ddumont.wordpress.com/ -o- irc: dod at irc.debian.org
Re: how to deploy common ssh_config and sshd_config settings on all hosts?
Hi Harald, On Thu, Feb 02, 2017 at 02:50:09PM +0100, Harald Dunkel wrote: > On 02/02/17 11:17, Andy Smith wrote: > > Also through the use of override config files that are included into > > the main config file, you can avoid being prompted about changes to > > the main config file. For sshd the config directive is "Include". > > > > Are you sure about this? > > root@jessie2:/etc/ssh# /usr/sbin/sshd -d > /etc/ssh/sshd_config: line 90: Bad configuration option: Include > /etc/ssh/sshd_config: terminating, 1 bad configuration options You are right, sorry. It seems "Include" is actually only valid in ssh_config (not sshd) and then only from the version in testing currently. > > This is a classic use case for configuration management. You define > > your configuration externally, in one authoritative place, and the > > config management system takes care of applying that config to all > > your hosts. > > Exactly. The central place in my case is a debian source package. It > provides binary meta-packages referencing other packages and some > /etc/service.d/local.conf files, extending the ususal /etc/service.conf > files provided by the service's binary package. If you are making your own Debian packages with all of your custom config already in them, then you could just put them in your own apt repository and point all your machines there. But you must have already thought of this so there must be some reason why that solution is not acceptable… > > Popular examples are Puppet, Ansible and Chef, all of which are > > well-supported on Debian. To decide which is best for you will > > require some independent research as this is a big topic area and > > hard to generalise. > > They are supported on Debian, but are they supported *by* Debian > as well? Won't I have to expect conflicts with Debian's dpkg > infrastructure? Fundamentally they all just result in changes to config files. It is no different to you making changes to config files personally, except it is automated. You could not really say that Debian does not support you changing config files. What you could say is that if you do change config files, and the relevant Debian package comes with config file changes, then dpkg will interactively ask you what to do. Probably what's going to happen if you DID interactively accept config file changes is that your config management system will then revert the config back to what it thinks it should be, losing Debian changes. So, if moving to config management what you would normally do is examine what the new package version wants to change and then incorporate those changes in your config management instead. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: how to deploy common ssh_config and sshd_config settings on all hosts?
Hi Andy, On 02/02/17 11:17, Andy Smith wrote: > > Also through the use of override config files that are included into > the main config file, you can avoid being prompted about changes to > the main config file. For sshd the config directive is "Include". > Are you sure about this? root@jessie2:/etc/ssh# /usr/sbin/sshd -d /etc/ssh/sshd_config: line 90: Bad configuration option: Include /etc/ssh/sshd_config: terminating, 1 bad configuration options >> What would you consider best practice to keep your ssh hosts (>300) >> in sync wrt the most important config optiones? > > This is a classic use case for configuration management. You define > your configuration externally, in one authoritative place, and the > config management system takes care of applying that config to all > your hosts. Exactly. The central place in my case is a debian source package. It provides binary meta-packages referencing other packages and some /etc/service.d/local.conf files, extending the ususal /etc/service.conf files provided by the service's binary package. Please check the output of "find /etc -name \*.d" on your favorite Debian box to see *how* wide this "Include" approach is in use. You don't even imagine a package not supporting it. Unfortunately openssh-server doesn't. > > Popular examples are Puppet, Ansible and Chef, all of which are > well-supported on Debian. To decide which is best for you will > require some independent research as this is a big topic area and > hard to generalise. > They are supported on Debian, but are they supported *by* Debian as well? Won't I have to expect conflicts with Debian's dpkg infrastructure? Of course I will look into the config management tools you suggested. Thanx very much for your detailed response Harri
Re: how to deploy common ssh_config and sshd_config settings on all hosts?
Hi Harald, On Thu, Feb 02, 2017 at 09:40:48AM +0100, Harald Dunkel wrote: > Problem: Deploying a custom ssh authentication scheme common to > all Debian hosts in the lan appears to be apita, esp. since the > next openssh upgrade might put the default config files upside > down again. When you do an upgrade, apt is smart enough to notice that you have edited a config file and will ask you if you want to replace your changes with the new version of the file from the package. You can also view the differences, etc. I am not saying this is a solution to your issue, merely pointing out that the overwrite would not happen silently, so you can take come comfort in that. Also through the use of override config files that are included into the main config file, you can avoid being prompted about changes to the main config file. For sshd the config directive is "Include". > What would you consider best practice to keep your ssh hosts (>300) > in sync wrt the most important config optiones? This is a classic use case for configuration management. You define your configuration externally, in one authoritative place, and the config management system takes care of applying that config to all your hosts. Popular examples are Puppet, Ansible and Chef, all of which are well-supported on Debian. To decide which is best for you will require some independent research as this is a big topic area and hard to generalise. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
how to deploy common ssh_config and sshd_config settings on all hosts?
Hi folks, Problem: Deploying a custom ssh authentication scheme common to all Debian hosts in the lan appears to be apita, esp. since the next openssh upgrade might put the default config files upside down again. What would you consider best practice to keep your ssh hosts (>300) in sync wrt the most important config optiones? openssh is version 7.4 Every helpful response is highly appreciated Harri