[Bug 1701298] Re: ssh_config should include /etc/ssh/ssh_config.d/* by default

[Colin Watson]

** Changed in: openssh (Ubuntu)
   Status: Confirmed => Fix Committed

** Changed in: openssh (Ubuntu)
 Assignee: (unassigned) => Colin Watson (cjwatson)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1701298

Title:
  ssh_config should include /etc/ssh/ssh_config.d/* by default

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1701298/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1701298] Re: ssh_config should include /etc/ssh/ssh_config.d/* by default

[Colin Watson]

** Bug watch added: OpenSSH Portable Bugzilla #2468
   https://bugzilla.mindrot.org/show_bug.cgi?id=2468

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1701298

Title:
  ssh_config should include /etc/ssh/ssh_config.d/* by default

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1701298/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1701298] Re: ssh_config should include /etc/ssh/ssh_config.d/* by default

[Colin Watson]

On Sat, Jul 01, 2017 at 01:27:13PM -0400, James Cloos wrote:
> CW> This is all very well and true, but it's not what this bug is about.
> 
> My reading of this bug is that a patch to support .d/* is exactly what
> was requested.

No, this bug is specifically about *ssh_config*, not *sshd_config* - the
client configuration file, not the server configuration file.  Even
leaving aside the lack of upstream support for Include in sshd_config
(which is https://bugzilla.mindrot.org/show_bug.cgi?id=2468), I'd expect
to at least have to think about the two separately, due to
considerations such as ordering (ssh_config has per-user configuration
files to be considered as well, while sshd_config doesn't; sshd_config
frequently has more complex issues related to Match blocks).

> And you asked for examples of how it would be useful, then complained
> about receiving such an example.

I was glad to receive Erich's response to the question I asked them
directly. :-)  I understand the general usefulness of .d directories in
configuration systems and have put effort into supporting them in the
past; I was specifically asking the bug reporter for what packaged
modifications to ssh_config they wanted to be able to deliver, because I
wanted to know whether it was a matter of packaging site-local changes
or a matter of extensions being made by other packages that we might
ship in the distribution.  Site-local changes I entirely understand; if
it were distribution-shipped changes then I would want to look into the
details at some more length.

I generally try hard to avoid the scope of a bug drifting too far.  My
experience is that it's easy to consolidate multiple bugs that turn out
to be about the same thing, but difficult to deal with single bugs that
have ended up being about multiple things.  It can be difficult to avoid
sounding sharp when trying to stop a bug from undergoing scope creep,
and I'm sorry for that.  However, please do take any points about
sshd_config to a separate bug report.

-- 
Colin Watson   [cjwat...@ubuntu.com]

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1701298

Title:
  ssh_config should include /etc/ssh/ssh_config.d/* by default

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1701298/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1701298] Re: ssh_config should include /etc/ssh/ssh_config.d/* by default

[Colin Watson]

On Fri, Jun 30, 2017 at 08:19:09PM -0400, James Cloos wrote:
> > "CW" == Colin Watson  writes:
> 
> CW> Erich, could you give an example of the sort of changes you'd like to be
> CW> able to make in a .d directory?
> 
> Colin,
> 
> One good example is the port number(s).  Having to edit sshd_config
> every time the package changes the default contents is a pain.  And
> a non-default port number is very common.

This is all very well and true, but it's not what this bug is about.
Upstream OpenSSH doesn't yet support Include for sshd_config at all, so
there's no possibility of making the distribution-shipped sshd_config
include a .d directory.  This bug is about ssh_config instead.

-- 
Colin Watson   [cjwat...@ubuntu.com]

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1701298

Title:
  ssh_config should include /etc/ssh/ssh_config.d/* by default

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1701298/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1701298] Re: ssh_config should include /etc/ssh/ssh_config.d/* by default

[Erich E. Hoover]

@cjwatson, I've been getting my work into the habit of deploying Debian 
packages for all organization-wide system configuration files.  So, when I 
noticed the other day that openssh-client 7.3p1+ now supports include 
directives I put together a new package that gives all of our internal users 
no-login access to the systems that they need for their work.  The exact ".d" 
file I put together to do this is:
===
Match exec "getent hosts %h | grep -qE '^10\.10\.10\.'"
User root
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
IdentityFile /opt/insight/SLE-101_id_rsa
===
However, at the moment, for anyone to use this file I would need to modify 
/etc/ssh/ssh_config by adding "Include /etc/ssh/ssh_config.d/*".  While I can 
do that, I know that it's not generally recommended to have a package modify 
the config files of other packages.  So, ideally, the default ssh_config file 
would have an Include directive that allows me to simply place my ".d" file in 
the appropriate ".d" directory such that it automatically gets included 
whenever my custom package is installed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1701298

Title:
  ssh_config should include /etc/ssh/ssh_config.d/* by default

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1701298/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1701298] Re: ssh_config should include /etc/ssh/ssh_config.d/* by default

[Colin Watson]

There are already bugs about an Include directive in sshd, so please
don't file more.  Also, it isn't really necessary to re-file this in
Debian since I follow both trackers.

Erich, could you give an example of the sort of changes you'd like to be
able to make in a .d directory?  Are you talking about site-local
changes, or things that might go into a distribution?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1701298

Title:
  ssh_config should include /etc/ssh/ssh_config.d/* by default

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1701298/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1701298] Re: ssh_config should include /etc/ssh/ssh_config.d/* by default

[ChristianEhrhardt]

Hi Erich,
I agree that would be a nice change to have, but I got puzzled checking the 
details.

In general it seemed to requires 7.3p1 it seems: => 
https://bugzilla.mindrot.org/show_bug.cgi?id=1585.
Therefore e.g. in Xenial I wondered to find nothing about the Include statement 
but that was 7.2.
But all later versions are ok, so there it makes absolutely sense.

It is already done for the user side of the config in:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/739495

But looking deeper I realized that this is only implemented by Upstream
for the client part (ssh) but not the sshd server (at least trusting the
man pages updated with the referred upstream change).

That said I'd have to ask you for two thing:
1. This bug is present in Debian too and we carry next to no delta. So it would 
be best fixed in Debian, and then Ubuntu will pick it up on the next merge. 
Would you mind filing a bug with Debian please?
2. Also since at least according to my sniff check it seems the upstream sshd 
doesn't have an Include directive you might file a bug there as well and link 
it here and in the Debian bug.

For now confirming the idea and setting wishlist as for all feature
requests.

** Bug watch added: OpenSSH Portable Bugzilla #1585
   https://bugzilla.mindrot.org/show_bug.cgi?id=1585

** Changed in: openssh (Ubuntu)
   Status: New => Confirmed

** Changed in: openssh (Ubuntu)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1701298

Title:
  ssh_config should include /etc/ssh/ssh_config.d/* by default

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1701298/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs