[PATCH] introduce vendordir for easier config file update

Philipp Marek philipp at marek.priv.at
Thu Feb 4 01:54:30 AEDT 2021


>> So if there is no admin provided configuration file, the vendor file 
>> from
>> /usr/share/ssh is used. If there is an admin provided configuration 
>> file
>> in /etc/ssh, this one will be used by default.
> does nobody have an opinion about this?

Well, with your solution: if the vendor file gets some new security 
settings,
the admin file won't get them, and so the total security might go down.
(Example: "Protocol 2")


I'm left with the conclusion that a REAL solution to all the problems 
here
means to have a turing-complete config language - or to have very few
shared settings and to split on the remote host or local user with
an "Include" statement using %u, %i, and similar.



More information about the openssh-unix-dev mailing list