Bug#1080174: systemd: 20-systemd-ssh-proxy.conf cannot be customised or removed

[Luca Boccassi]

On Tue, 8 Oct 2024 22:25:54 -0700 Josh Triplett <josh at joshtriplett.org>
wrote:
> On Tue, 08 Oct 2024 22:00:34 +0100 Luca Boccassi <bluca at debian.org>
wrote:
> > On Sat, 31 Aug 2024 04:32:30 +0200 Christoph Anton Mitterer
> > <calestyo at scientia.org> wrote:
> > > Package: systemd
> > > Version: 256.5-1
> > > Severity: important
> > > 
> > > 
> > > Hey.
> > > 
> > > I think since version 256 there's systemd-ssh-generator and
friends
> > including
> > > /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf which is a non-
> > conffile that
> > > is a symlink to:
> > > /usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf
> > > 
> > > as such, it cannot be modified by the user or removed, as it will
be
> > re-installed
> > > on upgrade (and there even overwriting any manually created
> > > 20-systemd-ssh-proxy.conf that is not a symlinks).
> > > 
> > > I don't think this should happen, and wouldn't be too surprised
if it
> > was a policy
> > > violation (though too lazy to check ^^).
> > 
> > It is most certainly not. This is necessary to ensure ssh via
> > vsock/afunix works out of the box. You can set up a local dpkg
> > diversion if you want to.
> 
> /etc is owned by the sysadmin. It's absolutely reasonable for systemd
to
> install this configuration file by default, but if the sysadmin
removes
> it (perhaps because for some reason they don't want to allow SSH
access
> over vsock or unix sockets), that's a configuration change that
> shouldn't be overwritten. dpkg-divert is for modifications to things
> that *aren't* configuration files, like files in /usr; it should
never
> be required for files in /etc.

It's just a symlink in /etc, you can divert the original in /usr so
that it points to an empty file.
In the end, if openssh supported the usual /etc/ -> /usr/ pattern for
config, this would be handled neatly, so if you care about this use
case please try and spend time to implement such support in openssh.