Include /etc/ssh/*_config.d/*.conf

Include /etc/ssh/ssh_config.d/*.conf from /etc/ssh/ssh_config and /etc/ssh/sshd_config.d/*.conf from /etc/ssh/sshd_config. Closes: #845315
author: Colin Watson <cjwatson@debian.org> 2020-02-21 14:45:25 +0000
committer: Colin Watson <cjwatson@debian.org> 2020-02-21 14:48:42 +0000
commit: cb37f2bf1b8576863448555af5c5309a6c220785 (patch)
tree: 3a73125336f610265c6793cba89942eada865a2e
parent: 886e47e745586c34e81cfd5c5fb9b5dbc8e84d04 (diff)
parent: 86fe78ef4686485394b464cf9d3393ce27b33979 (diff)
11 files changed, 87 insertions, 31 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 8acad4cd4..281d947f2 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-a2dabf35ce0228c86a288d11cc847a9d9801604f
+86fe78ef4686485394b464cf9d3393ce27b33979
-a2dabf35ce0228c86a288d11cc847a9d9801604f
+86fe78ef4686485394b464cf9d3393ce27b33979
 f0de78bd4f29fa688c5df116f3f9cd43543a76d0
 f0de78bd4f29fa688c5df116f3f9cd43543a76d0
 openssh_8.2p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index b86ad184e..160e7171a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -101,6 +101,9 @@ openssh (1:8.2p1-1) UNRELEASED; urgency=medium
    and 1:7.7p1-4 inclusive (closes: #951220).
  * ssh(1): Explain that -Y is equivalent to -X in the default configuration
    (closes: #951640).
+  * Include /etc/ssh/ssh_config.d/*.conf from /etc/ssh/ssh_config and
+    /etc/ssh/sshd_config.d/*.conf from /etc/ssh/sshd_config (closes:
+    #845315).
 -- Colin Watson <cjwatson@debian.org>  Fri, 21 Feb 2020 12:11:52 +0000
diff --git a/debian/openssh-server.ucf-md5sum b/debian/openssh-server.ucf-md5sum
index 37c51978f..640943f7b 100644
--- a/debian/openssh-server.ucf-md5sum
+++ b/debian/openssh-server.ucf-md5sum
@@ -57,7 +57,7 @@ fe396d52df77f1fbf710591d4dbf3311
 #
 # This obviously leaves something to be desired in terms of maintainability.
 #
-# The following covers up to 1:7.7p1-4, including everything except the
+# The following covers up to 1:7.8p1-1, including everything except the
 # latest version of sshd_config.  It should be extended any time sshd_config
 # changes.
@@ -90,3 +90,9 @@ cc873ab3ccc9cf3a3830c3c0728c0d0b
 2d0b1d2719c01b15457401fd97d607ed
 8ce930e15835a8f46285315ed0da7f4a
 8a71a3620605f21ac3ef16fd5d23f76a
+# From 1:7.8p1-1:
+55570f990ec9c3b8d19c19ab4d0b8eb8
+0b8a28dca5cdbace0cd85fcd7794cba8
+18df1377273c4d51d4c03c9adc31021f
+63284e767f6ccf2375ef80507c564797
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch
index b04c21060..c48220f63 100644
--- a/debian/patches/conch-old-privkey-format.patch
+++ b/debian/patches/conch-old-privkey-format.patch
@@ -1,4 +1,4 @@
-From 311da721c2a5c6d147738e0699fa49d04cd5762a Mon Sep 17 00:00:00 2001
+From 39d3bb41ec288e8ba2384c65248440603f65349c Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Thu, 30 Aug 2018 00:58:56 +0100
 Subject: Work around conch interoperability failure
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index e5c690915..35c71b0e9 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From cc80ecc65d57a9e68ce84d67bcfece281ffa0e9f Mon Sep 17 00:00:00 2001
+From 8086961f9f4ad834e9c3b09b6e2c80273be1c506 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -13,6 +13,8 @@ worms.
 ssh: Enable GSSAPIAuthentication by default.
+ssh: Include /etc/ssh/ssh_config.d/*.conf.
 sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
 PrintMotd.
@@ -22,21 +24,23 @@ sshd: Set 'AcceptEnv LANG LC_*' by default.
 sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
+sshd: Include /etc/ssh/sshd_config.d/*.conf.
 Document all of this.
 Author: Russ Allbery <rra@debian.org>
 Forwarded: not-needed
-Last-Update: 2020-02-19
+Last-Update: 2020-02-21
 Patch-Name: debian-config.patch
 ---
 readconf.c    |  2 +-
 ssh.1         | 24 ++++++++++++++++++++++++
- ssh_config    |  6 +++++-
+ ssh_config    |  8 +++++++-
- ssh_config.5  | 19 ++++++++++++++++++-
+ ssh_config.5  | 26 +++++++++++++++++++++++++-
- sshd_config   | 16 ++++++++++------
+ sshd_config   | 18 ++++++++++++------
- sshd_config.5 | 22 ++++++++++++++++++++++
+ sshd_config.5 | 29 +++++++++++++++++++++++++++++
- 6 files changed, 80 insertions(+), 9 deletions(-)
+ 6 files changed, 98 insertions(+), 9 deletions(-)
 diff --git a/readconf.c b/readconf.c
 index 7f251dd4a..e82024678 100644
@@ -94,14 +98,16 @@ index b33a8049f..a8967c2f8 100644
 Send log information using the
 .Xr syslog 3
 diff --git a/ssh_config b/ssh_config
-index 1ff999b68..6dd6ecf87 100644
+index 1ff999b68..8a55237b9 100644
 --- a/ssh_config
 +++ b/ssh_config
-@@ -17,9 +17,10 @@
+@@ -17,9 +17,12 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
 
 -# Host *
+Include /etc/ssh/ssh_config.d/*.conf
+
 +Host *
 #   ForwardAgent no
 #   ForwardX11 no
@@ -109,7 +115,7 @@ index 1ff999b68..6dd6ecf87 100644
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
-@@ -45,3 +46,6 @@
+@@ -45,3 +48,6 @@
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
@@ -117,10 +123,10 @@ index 1ff999b68..6dd6ecf87 100644
 +    HashKnownHosts yes
 +    GSSAPIAuthentication yes
 diff --git a/ssh_config.5 b/ssh_config.5
-index c6eaa63e7..5c90d3e02 100644
+index c6eaa63e7..34dc2d51b 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
+@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
@@ -133,6 +139,8 @@ index c6eaa63e7..5c90d3e02 100644
 +.Pp
 +.Bl -bullet -offset indent -compact
 +.It
+.Cm Include /etc/ssh/ssh_config.d/*.conf
+.It
 +.Cm SendEnv No LANG LC_*
 +.It
 +.Cm HashKnownHosts No yes
@@ -140,10 +148,15 @@ index c6eaa63e7..5c90d3e02 100644
 +.Cm GSSAPIAuthentication No yes
 +.El
 +.Pp
+.Pa /etc/ssh/ssh_config.d/*.conf
+files are included at the start of the system-wide configuration file, so
+options set there will override those in
+.Pa /etc/ssh/ssh_config.
+.Pp
 The file contains keyword-argument pairs, one per line.
 Lines starting with
 .Ql #
-@@ -729,11 +745,12 @@ elapsed.
+@@ -729,11 +752,12 @@ elapsed.
 .It Cm ForwardX11Trusted
 If this option is set to
 .Cm yes ,
@@ -158,10 +171,19 @@ index c6eaa63e7..5c90d3e02 100644
 from stealing or tampering with data belonging to trusted X11
 clients.
 diff --git a/sshd_config b/sshd_config
-index 2c48105f8..ed8272f6d 100644
+index 2c48105f8..459c1b230 100644
 --- a/sshd_config
 +++ b/sshd_config
-@@ -57,8 +57,9 @@ AuthorizedKeysFile    .ssh/authorized_keys
+@@ -10,6 +10,8 @@
+ # possible, but leave them commented.  Uncommented options override the
+ # default value.
+ 
+Include /etc/ssh/sshd_config.d/*.conf
+
+ #Port 22
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
+@@ -57,8 +59,9 @@ AuthorizedKeysFile    .ssh/authorized_keys
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 
@@ -173,7 +195,7 @@ index 2c48105f8..ed8272f6d 100644
 
 # Kerberos options
 #KerberosAuthentication no
-@@ -81,16 +82,16 @@ AuthorizedKeysFile  .ssh/authorized_keys
+@@ -81,16 +84,16 @@ AuthorizedKeysFile  .ssh/authorized_keys
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
@@ -193,7 +215,7 @@ index 2c48105f8..ed8272f6d 100644
 #PrintLastLog yes
 #TCPKeepAlive yes
 #PermitUserEnvironment no
-@@ -107,8 +108,11 @@ AuthorizedKeysFile .ssh/authorized_keys
+@@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys
 # no default banner path
 #Banner none
 
@@ -207,10 +229,10 @@ index 2c48105f8..ed8272f6d 100644
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 diff --git a/sshd_config.5 b/sshd_config.5
-index 25f4b8117..b8bea2ad7 100644
+index 25f4b8117..e8271be74 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes
+@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
@@ -223,6 +245,8 @@ index 25f4b8117..b8bea2ad7 100644
 +.Pp
 +.Bl -bullet -offset indent -compact
 +.It
+.Cm Include /etc/ssh/sshd_config.d/*.conf
+.It
 +.Cm ChallengeResponseAuthentication No no
 +.It
 +.Cm X11Forwarding No yes
@@ -236,6 +260,11 @@ index 25f4b8117..b8bea2ad7 100644
 +.Cm UsePAM No yes
 +.El
 +.Pp
+.Pa /etc/ssh/sshd_config.d/*.conf
+files are included at the start of the configuration file, so options set
+there will override those in
+.Pa /etc/ssh/sshd_config.
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index 7281395ae..aa6f4cc31 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
-From 2fe72c4e855be0fc87dbdc296632394b6cfe957a Mon Sep 17 00:00:00 2001
+From 58390cbd5e07df92729b794beb491f7352b26993 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 5 Mar 2017 02:02:11 +0000
 Subject: Restore reading authorized_keys2 by default
@@ -18,10 +18,10 @@ Patch-Name: restore-authorized_keys2.patch
 1 file changed, 2 insertions(+), 3 deletions(-)
 diff --git a/sshd_config b/sshd_config
-index ed8272f6d..ee9629102 100644
+index 459c1b230..dc0db5706 100644
 --- a/sshd_config
 +++ b/sshd_config
-@@ -36,9 +36,8 @@
+@@ -38,9 +38,8 @@ Include /etc/ssh/sshd_config.d/*.conf
 
 #PubkeyAuthentication yes
 
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
index 02c505531..13192e380 100644
--- a/debian/patches/revert-ipqos-defaults.patch
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -1,4 +1,4 @@
-From a2dabf35ce0228c86a288d11cc847a9d9801604f Mon Sep 17 00:00:00 2001
+From 86fe78ef4686485394b464cf9d3393ce27b33979 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Mon, 8 Apr 2019 10:46:29 +0100
 Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
@@ -56,10 +56,10 @@ index 7bbc25c2e..470ad3619 100644
                options->version_addendum = xstrdup("");
        if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
 diff --git a/ssh_config.5 b/ssh_config.5
-index 5c90d3e02..6b4e4f43b 100644
+index 34dc2d51b..91beb6f50 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1133,11 +1133,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+@@ -1140,11 +1140,9 @@ If one argument is specified, it is used as the packet class unconditionally.
 If two values are specified, the first is automatically selected for
 interactive sessions and the second for non-interactive sessions.
 The default is
@@ -74,10 +74,10 @@ index 5c90d3e02..6b4e4f43b 100644
 .It Cm KbdInteractiveAuthentication
 Specifies whether to use keyboard-interactive authentication.
 diff --git a/sshd_config.5 b/sshd_config.5
-index b8bea2ad7..fd205e418 100644
+index e8271be74..d25b2f3d5 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -907,11 +907,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+@@ -914,11 +914,9 @@ If one argument is specified, it is used as the packet class unconditionally.
 If two values are specified, the first is automatically selected for
 interactive sessions and the second for non-interactive sessions.
 The default is
diff --git a/ssh_config b/ssh_config
index 6dd6ecf87..8a55237b9 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,6 +17,8 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
+Include /etc/ssh/ssh_config.d/*.conf
 Host *
 #   ForwardAgent no
 #   ForwardX11 no
diff --git a/ssh_config.5 b/ssh_config.5
index 6b4e4f43b..91beb6f50 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -80,6 +80,8 @@ which are not the default in
 .Pp
 .Bl -bullet -offset indent -compact
 .It
+.Cm Include /etc/ssh/ssh_config.d/*.conf
+.It
 .Cm SendEnv No LANG LC_*
 .It
 .Cm HashKnownHosts No yes
@@ -87,6 +89,11 @@ which are not the default in
 .Cm GSSAPIAuthentication No yes
 .El
 .Pp
+.Pa /etc/ssh/ssh_config.d/*.conf
+files are included at the start of the system-wide configuration file, so
+options set there will override those in
+.Pa /etc/ssh/ssh_config.
+.Pp
 The file contains keyword-argument pairs, one per line.
 Lines starting with
 .Ql #
diff --git a/sshd_config b/sshd_config
index ee9629102..dc0db5706 100644
--- a/sshd_config
+++ b/sshd_config
@@ -10,6 +10,8 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
+Include /etc/ssh/sshd_config.d/*.conf
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
diff --git a/sshd_config.5 b/sshd_config.5
index fd205e418..d25b2f3d5 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -65,6 +65,8 @@ which are not the default in
 .Pp
 .Bl -bullet -offset indent -compact
 .It
+.Cm Include /etc/ssh/sshd_config.d/*.conf
+.It
 .Cm ChallengeResponseAuthentication No no
 .It
 .Cm X11Forwarding No yes
@@ -78,6 +80,11 @@ which are not the default in
 .Cm UsePAM No yes
 .El
 .Pp
+.Pa /etc/ssh/sshd_config.d/*.conf
+files are included at the start of the configuration file, so options set
+there will override those in
+.Pa /etc/ssh/sshd_config.
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
author	Colin Watson <cjwatson@debian.org>	2020-02-21 14:45:25 +0000
committer	Colin Watson <cjwatson@debian.org>	2020-02-21 14:48:42 +0000
commit	cb37f2bf1b8576863448555af5c5309a6c220785 (patch)
tree	3a73125336f610265c6793cba89942eada865a2e
parent	886e47e745586c34e81cfd5c5fb9b5dbc8e84d04 (diff)
parent	86fe78ef4686485394b464cf9d3393ce27b33979 (diff)