Majic Projects ~ [OPEN] MAR-202 - Switch to using modular configuration for OpenSSH server

Majic Projects

Majic Ansible Roles

Projects
Wiki
- Quick links
- Wiki
- Project wikis
- Conntrackt
- Django Pydenticon
- Gimmecert
- Majic Ansible Roles
- Pydenticon
- Scripts
- Global content

You are not logged in

Majic Ansible Roles / Open Enhancement MAR-202 Switch to using modular configuration for OpenSSH server

branko (@branko) has been working on this issue since March 08, 2024 (00:20)

- No additional actions available

Issue basics

Type of issue

Enhancement Unknown issue type
Issue label

No label set
Category

General Not determined
Targetted for

Not determined
Status

New

Status not determined
Progress
Priority

Normal Not determined

Affected by this issue (0)

There are no items

People involved

Posted by
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 24, 2024 - 20:11

Show user details
Owned by

Not owned by anyone
Assigned to
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 24, 2024 - 20:11

Show user details
Not assigned to anyone
Subscribers

0 subscriber(s)

Click here to show the list of subscribers

Times and dates

Posted at

Mar 05, 2024
Last updated

Mar 08, 2024
Estimated time

2 hours Not estimated
Time spent

No time spent

Click here to see time logged against this issue

Issue details

Resolution

Not determined
Reproducability

Not determined
Severity

Not determined

Attachments (0)

There is nothing attached to this issue

Child issues (0)

This issue does not have any child issues

Duplicate issues (0)

This issue does not have any duplicates

Show / hide more details »

Description

The common role currently selectively modifies portions of the OpenSSH server configuration (/etc/ssh/sshd_config) for hardening purposes.

There are two problems with this:

Each time support for new distribution release is added, some of the regular expressions may become invalid.
During upgrades to next distribution release, it is necessary to overwrite the custom modifications and reapply them again to ensure that the configuration file is consistent with distribution defaults.

With the latest two Debian releases (Bullseye/Bookworm), it is possible to instead supply custom configuration using the conf.d mechanism, overriding the settings in the main configuration file. This would make for a way cleaner way to apply the changes, and also negate the issues listed for current configuration method.

The following should be done:

Update the common and backup_server roles.
- Switch to using /etc/ssh/sshd_config.d/ directory for deploying customisations.
Update tests that modify the configuration file to instead place override in the .d directory.
Figure out if any kind of change would be required for the backup_server role (probably not).
Update role reference documentation.
Update usage instructions.
Update release notes.

Todos (0 / 0)

Options

There are no comments

Welcome to The Bug Genie

Log in with your username and password