From patchwork Sat Dec  7 15:03:59 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefan Schantl <stefan.schantl@ipfire.org>
X-Patchwork-Id: 8308
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Y5BS540Pqz3wxg
	for <patchwork@web04.haj.ipfire.org>; Sat,  7 Dec 2024 15:12:05 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256
	 client-signature ECDSA (secp384r1) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4Y5BS36GXlz1G0;
	Sat,  7 Dec 2024 15:12:03 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Y5BS34LyMz33v3;
	Sat,  7 Dec 2024 15:12:03 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Y5BS11QSVz2xQc
	for <development@lists.ipfire.org>; Sat,  7 Dec 2024 15:12:01 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4Y5BS01z62z1G0;
	Sat,  7 Dec 2024 15:12:00 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1733584320;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=GPVwTq4HyhdFbMNhLJDVm6IeuLHuE5gLgo6Oo1X3bZg=;
	b=0Ldg7Z8ng8BspmiCb/yiweJIuaqOoW8nVEov/NPE0cZ/QrCxQPK0jLP083HlpYtT2k7pFE
	CU6ry66GdGtkizDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1733584320;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=GPVwTq4HyhdFbMNhLJDVm6IeuLHuE5gLgo6Oo1X3bZg=;
	b=ihnJazl5VcF9a8L23v4oI8jpZ7ghsTAa2/E2OFzUj0EMzIX+wh07ODmwEH506TH5EWroPt
	7EEh1MwLlTg86/tq7r3w0k1f8CnGc45DMop9xKyvUVVc3R4cjUGVVjA9w36YflX7ADAdub
	sS7uxX5FYMtcurfJZIZ/a/R88wJv2fHmsLsEHWY/QR1oT/PaYZpMN03sB7LcD89FGRnUfV
	AxDAhpmI/h2IwNlhKsAhIYRwno9NVTWKzIrXUaQ9AKcBywfyIBHMTA3TLXzebXQLtYZbDv
	joCt5aErK/NrS9UgZOkc4BxvJ6/3mRFXCtNAuiMNDNn54+Trj/UjbsaKBKTpSQ==
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 1/2] openssh: Introduce include directory for additional sshd
 config files
Date: Sat,  7 Dec 2024 16:03:59 +0100
Message-ID: <20241207150400.2159-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Message-ID-Hash: QSP7BYGQVCREMC7QBKUAAOPMY3OF7D6I
X-Message-ID-Hash: QSP7BYGQVCREMC7QBKUAAOPMY3OF7D6I
X-MailFrom: stefan.schantl@ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/QSP7BYGQVCREMC7QBKUAAOPMY3OF7D6I/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

This patch adds the prosibility to place additional *.config files in /etc/ssh/sshd_config.d/
which will be included and loaded during the daemon startup process.

Because this files will not be overwritten by any update, they can be used to place custom
or other persistent settings.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/rootfiles/common/openssh | 1 +
 config/ssh/sshd_config          | 3 +++
 lfs/openssh                     | 4 ++++
 3 files changed, 8 insertions(+)

diff --git a/config/rootfiles/common/openssh b/config/rootfiles/common/openssh
index f7b479f55..d25651348 100644
--- a/config/rootfiles/common/openssh
+++ b/config/rootfiles/common/openssh
@@ -8,6 +8,7 @@ etc/ssh/ssh_config
 #etc/ssh/ssh_host_rsa_key
 #etc/ssh/ssh_host_rsa_key.pub
 etc/ssh/sshd_config
+etc/ssh/sshd_config.d
 usr/bin/scp
 usr/bin/sftp
 usr/bin/ssh
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
index e338f8cef..ce74cb851 100644
--- a/config/ssh/sshd_config
+++ b/config/ssh/sshd_config
@@ -57,4 +57,7 @@ TCPKeepAlive no
 # Add support for SFTP
 Subsystem	sftp	/usr/lib/openssh/sftp-server
 
+# Include additional sshd config files.
+Include /etc/ssh/sshd_config.d/*.conf
+
 # EOF
diff --git a/lfs/openssh b/lfs/openssh
index c14c8267c..b1c9a1635 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -91,5 +91,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	install -v -m 644 $(DIR_SRC)/config/ssh/ssh_config \
 		/etc/ssh/ssh_config
 
+	# Create directory for additional config
+	# config files.
+	mkdir -pv /etc/ssh/sshd_config.d/
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)

From patchwork Sat Dec  7 15:04:00 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefan Schantl <stefan.schantl@ipfire.org>
X-Patchwork-Id: 8309
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Y5BS73Lhtz3wxg
	for <patchwork@web04.haj.ipfire.org>; Sat,  7 Dec 2024 15:12:07 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4Y5BS41VsRz2T8;
	Sat,  7 Dec 2024 15:12:04 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Y5BS35t9nz340Z;
	Sat,  7 Dec 2024 15:12:03 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Y5BS12wMKz2xQc
	for <development@lists.ipfire.org>; Sat,  7 Dec 2024 15:12:01 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4Y5BS073F9zpt;
	Sat,  7 Dec 2024 15:12:00 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1733584321;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=L2TDp+t/400EM4VGFtqkQNmvkRVaD1FFuvhf1h1kvxg=;
	b=X3GIjjkLMG0MoQLgviViaZrtPccAuClV18Mbrc7AdjFuvVrUxfFzQW7gCM+s+EiZLndpRs
	5AdbbNF+gfoD0NCw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1733584321;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=L2TDp+t/400EM4VGFtqkQNmvkRVaD1FFuvhf1h1kvxg=;
	b=f+Zl6t2Tj7j/z5R4RWCnBhykbmqLhEHMoFC8zp0nztbmPbWyAgBggW+a5zP4TyFk6l2JuH
	2W2acFmSdYGQgeYgjj60EB/JMFEXzBSpJl99JCN+Q5VEKuEFIkzHIurBjVLv312GaW8b+Z
	wyzqU0DVGqukyo2S37C6fJl4HkeU3wGmvuwovIKV0VCvMtkNlIKzer/vO+vViMUg/T174W
	NmzojiavEXWU7gImY8upxxR2BtR+YF/dQXAhfdI+3WYYQWHyApRabKXk4V3ef4AAokxhA/
	GjdRnvo+8TbJSvSDD03Oj/bod0GZXiWqFA0WZrSfzxTCZFm/hWKPA9Z3bn6Wsw==
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 2/2] backup: Add /etc/ssh/sshd_config.d
Date: Sat,  7 Dec 2024 16:04:00 +0100
Message-ID: <20241207150400.2159-2-stefan.schantl@ipfire.org>
In-Reply-To: <20241207150400.2159-1-stefan.schantl@ipfire.org>
References: <20241207150400.2159-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Message-ID-Hash: GRUONYPGGZWT2LSXWUIGET4HIN2NPAJD
X-Message-ID-Hash: GRUONYPGGZWT2LSXWUIGET4HIN2NPAJD
X-MailFrom: stefan.schantl@ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/GRUONYPGGZWT2LSXWUIGET4HIN2NPAJD/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/backup/include | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/backup/include b/config/backup/include
index f0708c87f..0bf9440d3 100644
--- a/config/backup/include
+++ b/config/backup/include
@@ -10,6 +10,7 @@ etc/logrotate.d
 etc/passwd
 etc/shadow
 etc/ssh/sshd_config
+etc/ssh/sshd_config.d
 etc/ssh/ssh_host*
 etc/squid/squid.conf.local
 etc/squid/squid.conf.pre.local