On 11/09/2015 04:58 PM, Petter Reinholdtsen wrote: > [Bob Mottram] >> This patch adds some extra hardening to the ssh server settings, in >> accordance with the recommendations on bettercrypto.org. > This approach, editing the file /etc/ssh/sshd_config after installation, > will very likely cause conffile question during upgrades when the > package maintainer version of the file changes in the openssh-server > deb. This will cause upgrade problems for non-technical users. > > Because of this, it is probably better to convince the openssh package > maintainer to change the Debian default settings the way you propose to > change the FreedomBox setup. > > Perhaps this bug should be reassigned to openssh-server or be cloned and > a copy reassigned to openssh-server? > I think sshd_config is not a conffile. It seems to be produced by the postinst: https://sources.debian.net/src/openssh/1:6.9p1-2/debian/openssh-server.postinst/#L150
And if I'm reading that postinst correctly, it seems like they do attempt to handle upgrades of this file properly. That said, I do agree that we should try to improve Debian default settings. -- James
signature.asc
Description: OpenPGP digital signature
