FS#20191 - [openssh] upstream config files modified on install

Attached to Project: Arch Linux
Opened by Pete (tam1138) - Thursday, 15 July 2010, 21:14 GMT
Last edited by Guillaume ALAUX (galaux) - Monday, 17 January 2011, 20:43 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Aaron Griffin (phrakture)
Thomas Bächler (brain0)
Guillaume ALAUX (galaux)
Architecture All
Severity Very Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

As long as svn can remember, the openssh PKGBUILD contains within the following code that alters the default upstream config files:

#adjust our config files
sed -i \
-e 's|^#ListenAddress 0.0.0.0|ListenAddress 0.0.0.0|g' \
-e 's|^#UsePAM no|UsePAM yes|g' \
-e 's|^#ChallengeResponseAuthentication yes|ChallengeResponseAuthentication no|g' \
$startdir/pkg/etc/ssh/sshd_config
sed -i -e 's|^# Host \*|Host *|g' $startdir/pkg/etc/ssh/ssh_config
echo "HashKnownHosts yes" >> $startdir/pkg/etc/ssh/ssh_config
echo "StrictHostKeyChecking ask" >> $startdir/pkg/etc/ssh/ssh_config

#ssh_config
sed -i \
-e 's|^# Host \*|Host *|g' \
${pkgdir}/etc/ssh/ssh_config

Of these, two are no-ops (ListenAddress and StrictHostKeyChecking), one is a duplicated no-op (Host), and one could argue---which I would---that the others should be left at their defaults and the onus put on the user to configure them correctly. Though I could see that UsePAM and ChallengeResponseAuthentication could be considered sufficiently widely-used to modify them as above, but HashKnownHosts, at least, is not something that is closing a huge security hole. Plus, it screws up my bash-completion.

I have attached a dreadfully complicated patch for those who wish to avoid typing 15dd. (You're on your own if you're using that... other editor.)
   openssh-PKGBUILD.patch (0.8 KiB)
This task depends upon

Closed by  Guillaume ALAUX (galaux)
Monday, 17 January 2011, 20:43 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in 5.6p1-2
Comment by Thomas Bächler (brain0) - Sunday, 25 July 2010, 06:05 GMT
I complained about that when it was silently added as response to a very stupid bug report ("ssh is insecure because it doesn't hash KnownHosts and I am too dumb to edit my own config files"). Nobody cared - and my known_hosts was silently converted to hashed without me being asked. I was pissed, and still nobody cared. I agree we should ship the unmodified default config.
Comment by Allan McRae (Allan) - Sunday, 25 July 2010, 06:39 GMT
I agree, upstream are what we are supposed to ship.
Comment by Leonid Isaev (lisaev) - Wednesday, 15 December 2010, 19:58 GMT
I don't quite understand the problem with an initial config, if the user modifies it anyway.

The only "bug" is the duplicate "Host *" entry in the PKGBUILD.
This has been fixed, according to my ABS tree.
Comment by Pete (tam1138) - Wednesday, 22 December 2010, 15:56 GMT
The problem with the current initial config is that it differs from the upstream default, and therefore doesn't adhere to the Arch Linux philosophy of making as few changes as possible to upstream releases.

Loading...