Date: Fri, 20 Oct 2023 08:28:41 +0000 From: Miroslav Lachman <000.fbsd@quip.cz> To: Doug Hardie <bc979@lafn.org> Cc: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>, stable@freebsd.org Subject: Re: FreeBSD Errata Notice FreeBSD-EN-23:09.freebsd-update [REVISED] Message-ID: <b1823ba8-b166-4be2-bbce-9a3bfd4f97a7@quip.cz> In-Reply-To: <DAC7D065-F7C5-4DDC-AC45-71478D82EF63@sermon-archive.info> References: <20231003230335.0B92113333@freefall.freebsd.org> <aaabb189-b0df-4bd2-94d2-12d407b080b1@twcny.rr.com> <E5535DBD-9199-4151-A485-119E5CD02EA2@libassi.se> <765ea31d-8f07-4916-b6fd-ba220dec80dc@inoc.net> <c0a1d1b3-171b-443d-bedb-a5a8938219eb@quip.cz> <20231020062618.9618dcfd42b083720d5dbd12@dec.sakura.ne.jp> <14ed5f0c-9dbc-48d6-959c-750f2db726d4@quip.cz> <DAC7D065-F7C5-4DDC-AC45-71478D82EF63@sermon-archive.info>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20/10/2023 00:14, Doug Hardie wrote: >> On Oct 19, 2023, at 16:16, Miroslav Lachman <000.fbsd@quip.cz> wrote: >> >> On 19/10/2023 21:26, Tomoaki AOKI wrote: >>> On Thu, 19 Oct 2023 19:53:08 +0000 >>> Miroslav Lachman <000.fbsd@quip.cz> wrote: >> >> [..] >> >>>> It is hackery workaround. freebsd-update must not overwrite user >>>> modified files without safe merge of conflicts. yet it did it in the >>>> past, for example pf.conf and some other vital files. >>>> >>>> Kind regards >>>> Miroslav Lachman >>> I don't think it hackery. >>> What should have been is that default sshf_config to be >>> in /etc/defaults and /etc/defaults/rc.conf points to it, and anyone >>> needs custom settings to create sshd_config in /etc/ssh (or in >>> somewhere else), like rc.conf case. >> >> I don't think /etc/ssh/sshd_config is the default not intended to be edited. I am on FreeBSD from 4.x times and it was always supposed to be modifed by users and was handled by mergemaster or etcupdate. If freebsd-update cannot deal with it then it is a bug in freebsd-update. >> All in all pre-installed /etc/ssh/sshd_config has almost everything commented out because defaults are built in. > > While that has been the norm since 2.5, it does have a significant problem that changes to sshd configuration variables do not get incorporated into updated systems easily. Yes, mergemaster will somewhat show you the new configuration items, they are not always obvious and are very easy to ignore. There was one update to sshd that caused it not to function without the new variable. I don't recall the version or variable anymore, but it caused me days of problems trying to figure out why I couldn't connect to my servers. And there was a problem with documented and shipped variable no longer works causing sshd failed to start after reboot: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441 There always will be cases when something break badly. > I believe that adding a couple lines of sh code to the end of sshd.conf would cause it to read /usr/local/etc/sshd.conf and avoid those issues. That is done in other places in the rc process. I don't have sshd.conf on my system but I you mean sshd_config it is not parsed / interpreted by sh. It is passed directly to sshd. Kind regards Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b1823ba8-b166-4be2-bbce-9a3bfd4f97a7>