From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2 2/2] use custom SSH client configuration in LFS file
Date: Mon, 10 Sep 2018 17:48:50 +0200
Message-ID: <144a9115-0b4d-adda-3bf9-fde0ed2a0677@link38.eu>
In-Reply-To: <d5c7ba671f4e5f06d5b19eb5849fce243d1c7fbc.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3208018669300500051=="
List-Id: <development.lists.ipfire.org>

--===============3208018669300500051==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Hello Michael,

> Hello,
> 
> did you notice that this file is excluded from being updated on existing
> installations?
no - but I should have thought about that. :-\
> 
> How do we handle any custom changes from users here?
The only possibility of keeping the user's settings is to move existing
SSH client configurations to a new location, replace /etc/ssh/ssh_config
with this one and include the version before.

However, I strongly advise against this. (For example, some settings
in the original config might revert hardening options, causing no security
benefit after all.)

Since it is "just" the client configuration, I consider overwriting it
the best procedure. Of course, there has to be a yellow warning box in
the release notes, but it is better than no hardening at all.
> 
> I merged this for new installations already.
Great. SSH server configuration will follow.

Best regards,
Peter Müller
> 
> -Michael
> 
> On Mon, 2018-09-10 at 16:29 +0200, Peter Müller wrote:
>> Include OpenSSH client configuration file during build.
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
>> ---
>>  lfs/openssh | 5 +++++
>>  1 file changed, 5 insertions(+)
>>
>> diff --git a/lfs/openssh b/lfs/openssh
>> index a88b2d126..0e6acc227 100644
>> --- a/lfs/openssh
>> +++ b/lfs/openssh
>> @@ -100,5 +100,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
>>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_rsa_key$$|HostKey
>> /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey
>> /etc/ssh/ssh_host_rsa_key|' \
>>  		/etc/ssh/sshd_config
>> +
>> +	# install custom OpenSSH client configuration
>> +	install -v -m 644 $(DIR_SRC)/config/ssh/ssh_config \
>> +		/etc/ssh/ssh_config
>> +
>>  	@rm -rf $(DIR_APP)
>>  	@$(POSTBUILD)
> 

-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq

--===============3208018669300500051==--