Ubuntu
openssh package

Please revise the files installed in /etc/

Bug #1849560 reported by Mathieu Trudel-Lapierre
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Expired
Wishlist
Unassigned

Bug Description

openssh-server and openssh-client install various files under /etc:

/etc/ssh/*
/etc/systemd/system/sshd.service

Please see if these files can be moved elsewhere, in accordance with FHS: /etc should only contain files writable by the system administrator, and in Ubuntu Core 20 we should aim to have no writable files in /etc (as it will be included in images, avoid conflict resolution on upgrades).

At a glance, it looks like /etc/systemd/system/sshd.service could be moved to /lib/systemd/system, and many of the files in /etc/ssh do have suitable locations elsewhere on the system, such as /var/lib/ for generated keys, /usr/share/ for default SSH configurations, etc.)

Mathieu Trudel-Lapierre (cyphermox)
tags: added: writable-etc
Francis Ginther (fginther)
tags: added: id-5cf575c4e6712e6048974772
Rafael David Tinoco (rafaeldtinoco)
Changed in openssh (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
tags: added: server-next
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

There is no /etc/systemd file shipped with the openssh-server deb package. That directory is reserved for local overrides. The package ships the systemd service files correctly in /lib/systemd/service.

Revision history for this message
Paride Legovini (paride) wrote :

I agree the generated keys doesn't belong to /etc, while I'm not so sure about the default configuration files, as there are options that once set can't be "undone" by a config file loaded later, e.g. the Port option.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hmm,
are we sure anyone still cares about this.
Sadly Matthieu isn't around anymore and we had no one else from UC20 speak up at all since then.
If someone really still depends on this please speak up here!

IMHO "whishlist" + "server-next" are almost kind of mutually exclusive.

Further I can think of many dependent tools relying on the place of the generated keys like:
-rw------- 1 root root 1369 May 11 14:51 /etc/ssh/ssh_host_dsa_key
-rw-r--r-- 1 root root 596 May 11 14:51 /etc/ssh/ssh_host_dsa_key.pub
-rw------- 1 root root 492 May 11 14:51 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r-- 1 root root 168 May 11 14:51 /etc/ssh/ssh_host_ecdsa_key.pub
-rw------- 1 root root 399 May 11 14:51 /etc/ssh/ssh_host_ed25519_key
-rw-r--r-- 1 root root 88 May 11 14:51 /etc/ssh/ssh_host_ed25519_key.pub
-rw------- 1 root root 2590 May 11 14:51 /etc/ssh/ssh_host_rsa_key
-rw-r--r-- 1 root root 560 May 11 14:51 /etc/ssh/ssh_host_rsa_key.pub

So we can't just move them around and furthermore you'd not want to fragment that throughout the Debian derived eco system.
And in fact these are not Debian/Ubuntu decisions - the location for the generated keys is throughout all of upstreams man pages, examples and config files. If to be changed that is the place to discuss/change it.

I'll drop the server-next tag and subscribe Colin in case he has an opinion on this as well.

tags: removed: server-next
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Note: overall bugs with this tag https://bugs.launchpad.net/ubuntu/+bugs?field.tag=writable-etc

Revision history for this message
Paride Legovini (paride) wrote :

I share Christian's concern on nobody actually caring about this. Given the absence of activity in >1 year I'm marking this bug as Incomplete, which is an invite for anybody interested to chime in.

In absence of feedback I doubt there will be any progress here, as the direction to take isn't fully clear, and from our point of view the openssh packages are behaving as expected.

Changed in openssh (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openssh (Ubuntu) because there has been no activity for 60 days.]

Changed in openssh (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.