From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 1/3] apply logging settings for OpenSSH correctly Date: Wed, 30 May 2018 21:47:22 +0200 Message-ID: In-Reply-To: <22d13bfc252a2d768cfe4ba9aca5eb617701d00c.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4893610833114136915==" List-Id: --===============4893610833114136915== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, since we edit a lot of settings in the sshd_config file (and perhaps in the ssh_config file, too, when it comes to cipher selection), should we introduce a completely own config file? If so, how do I do so? We still need to manipulate it via sed for existing installations (via the update.sh script), but we could omit the procedure during building the package. As most of the config file is commented out by default, it could also be made much smaller and easier to read, only containing settings different than the defaults. Best regards, Peter M=C3=BCller > I guess this looks good. >=20 > The problem here certainly was that editing a file that comes from upstream= with > sed is not a good idea. One line changed can cause the sed to do nothing an= d we > won't even notice it. Therefore, in the future, I will only accept patches = for > changes like this. Those won't apply and then we can investigate why. >=20 > Best, > -Michael >=20 > On Tue, 2018-05-01 at 14:40 +0200, Peter M=C3=BCller wrote: >> The logging settings for OpenSSH (log to syslog with "AUTH" >> facility at "INFO" level) were not applied correctly. This >> patch fixes that for both installed systems and the LFS file. >=20 >> Partially addresses #11538. >=20 >> Signed-off-by: Peter M=C3=BCller >> --- >> config/rootfiles/core/121/update.sh | 6 ++++++ >> lfs/openssh | 4 ++-- >> 2 files changed, 8 insertions(+), 2 deletions(-) >=20 >> diff --git a/config/rootfiles/core/121/update.sh >> b/config/rootfiles/core/121/update.sh >> index 87d5f6ebd..5b8f2c86e 100644 >> --- a/config/rootfiles/core/121/update.sh >> +++ b/config/rootfiles/core/121/update.sh >> @@ -56,7 +56,13 @@ rm -rvf \ >> /usr/share/nagios/ \ >> /var/nagios/ >=20 >> +# Update SSH configuration >> +sed -i /etc/ssh/sshd_config \ >> + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ >> + -e 's/^#LogLevel INFO$/LogLevel INFO/' >> + >> # Start services >> +/etc/init.d/sshd restart >> /etc/init.d/apache restart >=20 >> # This update needs a reboot... >> diff --git a/lfs/openssh b/lfs/openssh >> index 203446370..46561953d 100644 >> --- a/lfs/openssh >> +++ b/lfs/openssh >> @@ -91,8 +91,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> -e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts >> yes/' \ >> -e 's/^#\?UsePAM .*$$//' \ >> -e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \ >> - -e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \ >> - -e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \ >> + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ >> + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ >> -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \ >> -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ >> -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ >=20 --=20 "We don't care. We don't have to. We're the Phone Company." --===============4893610833114136915== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUVC Q2dBR0JRSmJEdi9SQUFvSkVObEk4Zzk5ZTU5b3k4TVAvUlNRNEQySG8yMzFERTNOK29ybWUzbTkK cG41V1MvdWJYWWsyUWovVVVXL1lZZW52K0kyVE82b2QwOVRJZzdPbEFjeE81dlQ1K2FOZmNrNHg1 NVA1Q3NlTQprVHVMcmE4Yy90aVVnbCsvRzZSVjY2K29mWDF6akJlWXNSNzFGTDNIS3A0Q2dGWnpI QmVHcVFlRi9hM1V1dTRvCmFCOHFlTUlBL2MvM3NUSjF2d0tyeW5TS0FTL1BYQ25BWVdrRCtBWjhP OW5idE1VM0RyZk45bUhsbFgxeGx5T04KNmtUS2hUdkYwcCtlb3dWRHZSSW5WZ2tXV3ljR2xMMmlt dmtmVkwwN0Q5ZVZTT3NTNER5dGJVTHVqVHFlWlJRdwpaQytJMDdIRiswNFJjclQrdDFaQitFL3l4 d21haGgwVlByMkVTcGxRc1BRWC9ZTi9iMGVoTGVROEpocy9nRVUyClhCcy9zc0E1KzQydmNodFRv RjJ4MkhLTVdlSS9Dd0NqTzhEclNNRHhxUnphczRRemwrU1hGTzJvdGpvcWtOVnAKMjNrcnFaTFh6 elVWczZKaHZwMDB0b3J0SmVicGdRc1F4b0s4WkNvakVJODVlVTZQT3l5Vmd4ajhPNlNzVjFlWgps ZkV0eTlXcXI5cU0ycTloY2o4Ujh4UmM0S0NUNUtYMUo5WnhkczBCeVBBRjNGQkh3eG53dGRoSjg4 Yk11TytBCi9TOEFYYWM3V3o4aGhFclN6YVRHWTFQc2lMaStkZzh3UUV4RmY2azJISjZ0K1lHU1Q5 aGhJaE55R0xjK0VTeWkKRGpPUjZYaFI1SDl0VWZBYmpsRWhxVGtick1JUUlzdFRvOE5tVXBjZzJF L0k3TEw0R3VYUkloekNML0txYVp0bAplQStwVVlURVFaY1VPUGFJeUlLRAo9dE4xVgotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============4893610833114136915==--