MT#61271 trixie: adjust sshd_config after system is installed

If we set up /etc/ssh/sshd_config early in early system deployment, we end up with an empty /etc/ssh/sshd_config configuration file with only our own changes: | root@spce:~# cat /etc/ssh/sshd_config | # added by deployment.sh | PerSourcePenalties no | # end of deployment.sh changes | ### Added by ngcp-installer | PermitRootLogin yes The other defaults of sshd are OK for us, but for automated SSH logins we also need: AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/sipwise_vagrant_key And for SCP-ing files we also need: Subsystem sftp /usr/lib/openssh/sftp-server Otherwise our Jenkins job fail due to failing ssh/scp actions. So instead move our trixie specific code in deployment.sh for adjusting /etc/ssh/sshd_config to be executed *after* installing base system. Then the openssh-server package sets up /etc/ssh/sshd_config as expected, and we only extend its configuration then. While at it, explicitly mark beginning and end of our changes. Change-Id: I68a235b55e9cf18c39e9034b7f3b2ed0ffd237f0
6 months ago · cfe9cceb6a
parent 6eee97de7b
commit cfe9cceb6a
1 changed files with 13 additions and 9 deletions
--- a/templates/scripts/includes/deployment.sh
+++ b/templates/scripts/includes/deployment.sh
@ -2216,15 +2216,6 @@ case "${DEBIAN_RELEASE}" in
    ;;
 esac

-# MT#61265 avoid "penalty: failed authentication" in automated SSH/SCP actions in Jenkins jobs
-case "${DEBIAN_RELEASE}" in
-  trixie)
-    echo "Disabling PerSourcePenalties in /etc/ssh/sshd_config for Debian release '${DEBIAN_RELEASE}'"
-    echo '# added by deployment.sh' >> "${TARGET}"/etc/ssh/sshd_config
-    echo 'PerSourcePenalties no'    >> "${TARGET}"/etc/ssh/sshd_config
-    ;;
-esac
-
 # MT#7805
 if "$NGCP_INSTALLER" ; then
  cat << EOT | augtool --root="$TARGET"
@ -2423,6 +2414,19 @@ EOT
  grml-chroot "${TARGET}" /bin/bash /tmp/retrieve_authorized_keys.sh
 fi

+# MT#61265 avoid "penalty: failed authentication" in automated SSH/SCP actions in Jenkins jobs
+case "${DEBIAN_RELEASE}" in
+  trixie)
+    echo "Adjusting /etc/ssh/sshd_config for Debian release '${DEBIAN_RELEASE}'"
+    echo '# added by deployment.sh' >> "${TARGET}"/etc/ssh/sshd_config
+
+    echo "Disabling PerSourcePenalties in /etc/ssh/sshd_config"
+    echo 'PerSourcePenalties no'    >> "${TARGET}"/etc/ssh/sshd_config
+
+    echo '# end of deployment.sh changes' >> "${TARGET}"/etc/ssh/sshd_config
+    ;;
+esac
+
 if "$VAGRANT" ; then
  echo "Bootoption vagrant present, executing vagrant_configuration."
  vagrant_configuration