From nobody Fri Oct 20 10:41:21 2023
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SBh3N6PkQz4xcqB
	for <stable@mlmmj.nyi.freebsd.org>; Fri, 20 Oct 2023 10:41:52 +0000 (UTC)
	(envelope-from ben@altesco.nl)
Received: from altus-escon.com (corp.altus-escon.com [217.100.254.150])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "altus-test.com", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SBh3N4swPz4TKX
	for <stable@freebsd.org>; Fri, 20 Oct 2023 10:41:52 +0000 (UTC)
	(envelope-from ben@altesco.nl)
Authentication-Results: mx1.freebsd.org;
	none
Received: from smtpclient.apple (212-204-186-235.cable.dynamic.v4.ziggo.nl [212.204.186.235])
	(authenticated bits=0)
	by altus-escon.com (8.17.2/8.17.1) with ESMTPSA id 39KAfc2K042041
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 20 Oct 2023 12:41:43 +0200 (CEST)
	(envelope-from ben@altesco.nl)
X-Authentication-Warning: mars.altus-escon.com: Host 212-204-186-235.cable.dynamic.v4.ziggo.nl [212.204.186.235] claimed to be smtpclient.apple
Content-Type: text/plain;
	charset=utf-8
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
Sender: owner-freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Subject: Local sshd_config modifications (was: FreeBSD Errata Notice
 FreeBSD-EN-23:09.freebsd-update [REVISED])
From: Ben Stuyts <ben@altesco.nl>
In-Reply-To: <29762b3d-5f46-46b0-ad51-bcca7bf0c855@quip.cz>
Date: Fri, 20 Oct 2023 12:41:21 +0200
Cc: Doug Hardie <bc979@lafn.org>, Tomoaki AOKI <junchoon@dec.sakura.ne.jp>,
        stable@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <752B19A0-13E0-47D7-A009-CD07ACBFEB85@altesco.nl>
References: <20231003230335.0B92113333@freefall.freebsd.org>
 <aaabb189-b0df-4bd2-94d2-12d407b080b1@twcny.rr.com>
 <E5535DBD-9199-4151-A485-119E5CD02EA2@libassi.se>
 <765ea31d-8f07-4916-b6fd-ba220dec80dc@inoc.net>
 <c0a1d1b3-171b-443d-bedb-a5a8938219eb@quip.cz>
 <20231020062618.9618dcfd42b083720d5dbd12@dec.sakura.ne.jp>
 <14ed5f0c-9dbc-48d6-959c-750f2db726d4@quip.cz>
 <DAC7D065-F7C5-4DDC-AC45-71478D82EF63@sermon-archive.info>
 <B156352F-1D54-490A-9F48-2E278E3E8D6A@altesco.nl>
 <29762b3d-5f46-46b0-ad51-bcca7bf0c855@quip.cz>
To: Miroslav Lachman <000.fbsd@quip.cz>
X-Mailer: Apple Mail (2.3731.700.6)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (altus-escon.com [193.78.231.142]); Fri, 20 Oct 2023 12:41:43 +0200 (CEST)
X-Virus-Scanned: clamav-milter 1.2.0 at mars.altus-escon.com
X-Virus-Status: Clean
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:33915, ipnet:217.100.128.0/17, country:NL]
X-Rspamd-Queue-Id: 4SBh3N4swPz4TKX


> On 20 Oct 2023, at 12:07, Miroslav Lachman <000.fbsd@quip.cz> wrote:
>=20
> On 20/10/2023 08:55, Ben Stuyts wrote:
>>> On 20 Oct 2023, at 02:14, Doug Hardie <bc979@lafn.org> wrote:
>>>=20
>>> I believe that adding a couple lines of sh code to the end of =
sshd.conf would cause it to read /usr/local/etc/sshd.conf and avoid =
those issues.  That is done in other places in the rc process.
>>>=20
>>> =E2=80=94 Doug
>> Yes, it would be great if the stock /etc/sshd_config would include =
something like
>> Include /usr/local/etc/ssh/*
>> as the final line. I would never have to touch it again. It=E2=80=99s =
always a bother keeping it up to date, especially when running lots of =
jails.
>=20
> Except that /usr/local/etc/ is for configuration files used by =
ports/packages and not the services from base.
>=20
> If you want it, then it should be something like this:
>=20
> Include /etc/ssh/sshd_config.d/*.conf
>=20
> or this
>=20
> Include /etc/ssh/sshd_config.d/*.conf
> Include /usr/local/etc/ssh/sshd_config.d/*.conf

Noted, thanks. Personally I just use Include /etc/ssh/sshd_config.local, =
but I thought my initial solution would be more generic.

> But search the internet first, there are reported bugs and headaches =
with Include and Match.

I personally have not seen any problems when using Match with this. But =
it looks like this was fixed in 8.4, and FreeBSD (12.4) is running 9.1.

Looking at it now, I see that I also had to disable the Subsection sftp =
part, as I sometimes redefine it in the local file. And sshd barfs on =
duplicate Subsections.

Ben