Update sshd configuration (UsePAM no, sshd_config.d) #148
Conversation
lib/beaker/hypervisor/docker.rb
Outdated
| -e 's/^#?MaxAuthTries.*/MaxAuthTries 1000/' \ | ||
| /etc/ssh/sshd_config |
There was a problem hiding this comment.
If you use xargs, you must drop the filename here:
| -e 's/^#?MaxAuthTries.*/MaxAuthTries 1000/' \ | |
| /etc/ssh/sshd_config | |
| -e 's/^#?MaxAuthTries.*/MaxAuthTries 1000/' |
Having said that, you can simply use:
| -e 's/^#?MaxAuthTries.*/MaxAuthTries 1000/' \ | |
| /etc/ssh/sshd_config | |
| -e 's/^#?MaxAuthTries.*/MaxAuthTries 1000/' \ | |
| /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* |
When I run it locally it shows a warning, but still operates on the file.
$ echo UsePAM > ssh_test
$ sed -i 's/PAM/pam/' ssh_test ssh_test.d/*
sed: can't read ssh_test.d/*: No such file or directory
$ cat ssh_test
UsepamAnd ls will show the same warning, so it doesn't make a difference.
There was a problem hiding this comment.
what if replace it with find? don't need xargs then either
find /etc/ssh/sshd_config /etc/ssh/sshd_config.d/ -type f -exec sed ...
{}\;
There was a problem hiding this comment.
Or that, but ls is usually not the right tool to use.
There was a problem hiding this comment.
Sorry, was committing in rush, so missed the 2>/dev/null after ls.
sed returns error code when file is missing. This breaks container build because of && between commands.
There was a problem hiding this comment.
let me use find as suggested by @vchepkov then
There are 2 related changes: 1. UsePAM is now disabled everywhere. It causes some hard to debug problems on CentOS9 and Fedora containers, when running on Ubuntu 24.04 host. It's somehow related to user namespaces, AppArmor and pam_unix (/etc/shadow access). 2. As more and more distros adopts /etc/ssh/sshd_config.d directory for ssh configs, now Dockerfile overrides settings in those files as well.
| -e 's/^#?MaxAuthTries.*/MaxAuthTries 1000/' \ | ||
| /etc/ssh/sshd_config | ||
| {} \\; |
There was a problem hiding this comment.
Nit : GNU find also supports + instead of ; to run it xargs style. What I like about it is that it doesn't need escaping:
| {} \\; | |
| {} + |
There was a problem hiding this comment.
there is a difference though, + would put every file in the command line
maybe for inline sed it doesn't matter, not sure
There was a problem hiding this comment.
You're right, but for sed is doesn't matter so it's actually more efficient when you don't have to start sed multiple times. In this case it really won't be noticeable, but there are cases where it can.
|
I'm going forward with merging this to unblock our pipelines. |
There are 2 related changes: