Hi Harald, On Thu, Feb 02, 2017 at 09:40:48AM +0100, Harald Dunkel wrote: > Problem: Deploying a custom ssh authentication scheme common to > all Debian hosts in the lan appears to be apita, esp. since the > next openssh upgrade might put the default config files upside > down again.
When you do an upgrade, apt is smart enough to notice that you have edited a config file and will ask you if you want to replace your changes with the new version of the file from the package. You can also view the differences, etc. I am not saying this is a solution to your issue, merely pointing out that the overwrite would not happen silently, so you can take come comfort in that. Also through the use of override config files that are included into the main config file, you can avoid being prompted about changes to the main config file. For sshd the config directive is "Include". > What would you consider best practice to keep your ssh hosts (>300) > in sync wrt the most important config optiones? This is a classic use case for configuration management. You define your configuration externally, in one authoritative place, and the config management system takes care of applying that config to all your hosts. Popular examples are Puppet, Ansible and Chef, all of which are well-supported on Debian. To decide which is best for you will require some independent research as this is a big topic area and hard to generalise. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
