Project

General

Profile

Actions

Feature #15199

closed

Unable to add user defined options to /etc/ssh/sshd_config due to its dynamic nature and no UI to add additional configuration options

Added by Ronald Antony 11 months ago. Updated 11 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
sshd
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

In order to run a user with scponly privileges
(see: https://forum.netgate.com/topic/185794/there-s-absolutely-no-useful-documentation-on-user-system-copy-files-to-home-directory-chrooted-scp )
I would need to add these lines to /etc/ssh/sshd_config

Match User username
ChrootDirectory /home/username
ForceCommand internal-sftp

But I can't. I'm sure there are other reasons why someone might want to add options there, but since the file is dynamically created when the system boots, there's not much one can meaningfully change there, much less in a way that's persistent with saving and restoring a system configuration.

Actions #1

Updated by Ronald Antony 11 months ago

So, looking at /etc/sshd I find this section:

/* Apply package SSHDCond settings if config file exists */
if (file_exists("/etc/sshd_extra")) {
    $fdExtra = fopen("/etc/sshd_extra", 'r');
    $szExtra = fread($fdExtra, 1048576); // Read up to 1MB from extra file
    $sshconf .= $szExtra;
    fclose($fdExtra);
}

which, if I interpret it correctly, means that the contents of a file /etc/sshd_extra is appended to /etc/ssh/sshd_config , if it exists, a thing easy enough to do, BUT...

1) without UI this means very likely that what ever one puts into that file will not be backed up with the system configuration
2) what's package " SSHDCond "? It doesn't improve matters, if I put things in /etc/sshd_extra but then some (what?) package potentially stomps on it...

Actions #2

Updated by Jim Pingle 11 months ago

  • Status changed from New to Rejected
  • Priority changed from High to Normal

The sshd_extra file method is there for customizing directives. It was added for the sshdcond package but that package was removed long ago and so there isn't anything else using it now except users doing so with custom content. If a package like that were added again in the future it would be more likely to add a separate plugin system style means of adding config and not the old method of including files so there is no real danger of anything else stepping on that file.

As for backups, there are already packages that backup files outside of the configuration for these sorts of cases.

Actions

Also available in: Atom PDF