-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
manifest: move sshd config fragments to overlay sshd_config.d on F32 #349
Conversation
Don't suppose it would work on RHEL 8... But glad to see sshd finally has that support. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@jlebon are we safe to merge things to next-devel without fear of them getting stomped on by config-bot ? |
Right, this will indeed get stomped on by config-bot. See #180 (comment). As mentioned in #180 (comment), I think folding the overlay stuff into the manifest would be a cleaner way to solve this. For now though... one hack is to make the postprocess scripts you're modifying just conditionalize on |
Updated, rebased on testing-devel, and tested on top of both testing-devel and next-devel. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Otherwise LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some comments, but LGTM as is too!
@@ -0,0 +1,5 @@ | |||
# This file is ignored on Fedora 31. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahh right, makes sense. I think we can drop these headers. We're moving off of f31 soon-ish anyway. :)
This is fine too, but we'll probably want to drop it at some point after we move into f32.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed that we'll want to drop eventually. I'd like to leave the headers for now, to avoid confusing users.
F31 and higher already default to PermitRootLogin prohibit-password.
Fedora 32 supports sshd_config.d. Use it. This allows users to easily re-enable password authentication if desired. We still need to disable the default AuthorizedKeysFile directive, since the Include directive appears after it in sshd_config. On Fedora 31, the sshd_config.d fragments will be ignored, so continue to edit sshd_config there.
Updated! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Fedora 32 supports
sshd_config.d
. Use it. This allows users to easily re-enable password authentication if desired.We still need to disable the default
AuthorizedKeysFile
directive, since theInclude
directive appears after it insshd_config
.On Fedora 31, the
sshd_config.d
fragments will be ignored, so continue to editsshd_config
there.