On Wed, Apr 19, 2017 at 1:02 PM, navern <livingdeadzerg at yandex.ru>
wrote:> On 10.04.2017 23:02, navern wrote:
>>
>>
>> On 07.04.2017 15:05, Jakub Jelen wrote:
>>>
>>> On 04/07/2017 11:54 AM, navern wrote:
>>>>
>>>> Hello,
>>>>
>>>> Afaik there was added Include feature for ssh_config. I want to
add this
>>>> option to sshd_config as well. I think about local patch(i am
not sure
>>>> this will be required for upstream).
>>>>
>>>> Code for Include option in readconf.c doesn't look very
specific. Is
>>>> there some reason why this wasn't introduced for
sshd_config as well?
>>>>
>>>> Maybe someone already have patch for this feature? It would be
great
>>>> because i am pretty awful C programmer.
>>>
>>>
>>> This is already implemented in the following bugzilla:
>>>
>>> https://bugzilla.mindrot.org/show_bug.cgi?id=2468
>>>
>>> The code gets little bit more complicated because of requirement to
>>> re-read the configuration for every incoming connection. Giving a
test and
>>> comments would be very appreciated.
>>>
>>> Regards,
>>
>> Hello,
>>
>> I've fixed this patch a little to apply it to version 7.4p1. I will
test
>> it in following week and let you know about results. Thanks for the
patch.
>
>
> Hi,
>
> I've been testing this for about a week on 150 servers and everything
> running fine. I hadn't seen any bugs. Thanks!
What is the performance penalty for incoming connectons? Have you any
sense of this?
I'm slightly leery of this approach. I've encountered numerous systems
that sought to split out subconfigurations sensibly, such as
/etc/cron.d for cron jobs, /et/sudoers.d for sudo access, and
individual zone files for DNS configurations. Some of them have worked
very well, but some of them which parse all files for all connections
have been vulnerable to a single typo in a single included file
destroying the *whole* system. If you do that to the SSH which is used
for remote system management, well, you can suddenly be up a nasty
creek without a paddle unless you're as paranoid as I've sometimes
been and run a second daemon with a separate set of config files with
very restrictive access for emergencies. It can be exacerbated if you
have a system configuration tool, such as ansible or puppet or chef,
which can modify your OpenSSH config without you're being connected on
a live SSH session which is still active and might be used for salvage
if you screw up a file.
Is there any available tool with this for pre-evaluating the resulting
sshd_config for fatal errors? I'm not demanding: I'm thinking "that
could be really, really useful".