Control: tags -1 wontfix Control: close -1 On Sat, 31 Aug 2024 04:32:30 +0200 Christoph Anton Mitterer <cales...@scientia.org> wrote: > Package: systemd > Version: 256.5-1 > Severity: important > > > Hey. > > I think since version 256 there's systemd-ssh-generator and friends including > /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf which is a non- conffile that > is a symlink to: > /usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf > > as such, it cannot be modified by the user or removed, as it will be re-installed > on upgrade (and there even overwriting any manually created > 20-systemd-ssh-proxy.conf that is not a symlinks). > > I don't think this should happen, and wouldn't be too surprised if it was a policy > violation (though too lazy to check ^^).
It is most certainly not. This is necessary to ensure ssh via vsock/afunix works out of the box. You can set up a local dpkg diversion if you want to. > btw: It also seems a really bad thing to set: > StrictHostKeyChecking no > UserKnownHostsFile /dev/null > which AFAICS are not suggested by systemd-ssh-proxy(1) either. > > `StrictHostKeyChecking no` unconditionally adds keys to known_hosts, which just > invites for subtle means to exploit it (social engineering, etc.). This is restricted to vsock/afunix, so there's no such risk: Host unix/* vsock/* <...>
