Bug#1080174: systemd: 20-systemd-ssh-proxy.conf cannot be customised or removed
Christoph Anton Mitterer
calestyo at scientia.org
Sat Aug 31 03:32:30 BST 2024
Package: systemd
Version: 256.5-1
Severity: important
Hey.
I think since version 256 there's systemd-ssh-generator and friends including
/etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf which is a non-conffile that
is a symlink to:
/usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf
as such, it cannot be modified by the user or removed, as it will be re-installed
on upgrade (and there even overwriting any manually created
20-systemd-ssh-proxy.conf that is not a symlinks).
I don't think this should happen, and wouldn't be too surprised if it was a policy
violation (though too lazy to check ^^).
btw: It also seems a really bad thing to set:
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
which AFAICS are not suggested by systemd-ssh-proxy(1) either.
`StrictHostKeyChecking no` unconditionally adds keys to known_hosts, which just
invites for subtle means to exploit it (social engineering, etc.).
Cheers,
Chris.
More information about the Pkg-systemd-maintainers
mailing list