Follow

Is it just me or is there no way to *specify* a path for the moduli file?

Reasoning for specifying it is: I want to generate a moduli file on each newly deployed host, but if the moduli file is included in the package, upon installing updates the package manager will complain that the file has changed, which rings all sorts of warning bells.

Seems like there *should* be a way to specify a different path, but I just don't see it.

· · Web · 3 · 3 · 0

@solene *sigh*

Thanks. Perhaps I should file a feature request then.

@rysiek not sure, but I think that this one is generated upon installation not pre-packaged. It can be generated by hand and if is regenerated upon update that happens rather because of some security holes fixed.

@sirmacik well, the I am looking at a `pkg` oiutput complaining about checksum mismatch for `/usr/local/etc/ssh/moduli`, as part of the `openssh-portable` package, after I regenerated the file manually.

So yes, it is pre-packaged, at least in `openssh-portable`.

@sirmacik there are reasons, apparently. I do not know these reasons. They are also irrelevant to the issue at hand.

@rysiek it might be good to ask devs at openbsd irc, they might be most knowledgeable about openssh quirks

@sirmacik yeah, might do that. But also, might just create a feature request against OpenSSH. Seems like a reasonable ask anyway.

@rysiek Well, on at least, if you were to use the version from ports, we could modify the port to install the moduli file as a sample. As a result you'll always get the latest moduli file installed with every update as moduli.sample, and your custom moduli file would be left in tact.

@mpts that sounds exactly like what I need. FreeBSD is in fact the platform here and openssh-portable is the package.

How do we do this?

@rysiek I'll post a patch in a moment, my poudriere testport has to finish first.

@rysiek Here's the patch for the port: paste.q3k.org/paste/G-qdI1m9#v

You may submit it though bugs.freebsd.org/ if you think it would be nice to have in the official ports.

@mpts @rysiek use some automation to detect if the moduli file is the one from the package and then generate a new one/replace it.

also just generate one and then make the file immutable so not even root can alter it.

FreeBSD:

chflags schg filename

Linux:

chattr +i filename


voila, your file is protected from anyone or any process from being able to alter it

@feld the problem is not modification, the problem is pkg complaining that the file has changed.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!