Local sshd_config modifications (was: FreeBSD Errata Notice FreeBSD-EN-23:09.freebsd-update [REVISED])
Date: Fri, 20 Oct 2023 10:41:21 UTC
> On 20 Oct 2023, at 12:07, Miroslav Lachman <000.fbsd@quip.cz> wrote: > > On 20/10/2023 08:55, Ben Stuyts wrote: >>> On 20 Oct 2023, at 02:14, Doug Hardie <bc979@lafn.org> wrote: >>> >>> I believe that adding a couple lines of sh code to the end of sshd.conf would cause it to read /usr/local/etc/sshd.conf and avoid those issues. That is done in other places in the rc process. >>> >>> — Doug >> Yes, it would be great if the stock /etc/sshd_config would include something like >> Include /usr/local/etc/ssh/* >> as the final line. I would never have to touch it again. It’s always a bother keeping it up to date, especially when running lots of jails. > > Except that /usr/local/etc/ is for configuration files used by ports/packages and not the services from base. > > If you want it, then it should be something like this: > > Include /etc/ssh/sshd_config.d/*.conf > > or this > > Include /etc/ssh/sshd_config.d/*.conf > Include /usr/local/etc/ssh/sshd_config.d/*.conf Noted, thanks. Personally I just use Include /etc/ssh/sshd_config.local, but I thought my initial solution would be more generic. > But search the internet first, there are reported bugs and headaches with Include and Match. I personally have not seen any problems when using Match with this. But it looks like this was fixed in 8.4, and FreeBSD (12.4) is running 9.1. Looking at it now, I see that I also had to disable the Subsection sftp part, as I sometimes redefine it in the local file. And sshd barfs on duplicate Subsections. Ben