Skip to content

WIP: add collection of OpenSSH Include config files#305

Draft
jiri-belka wants to merge 28 commits into
openSUSE:devfrom
jiri-belka:sshd_config_d
Draft

WIP: add collection of OpenSSH Include config files#305
jiri-belka wants to merge 28 commits into
openSUSE:devfrom
jiri-belka:sshd_config_d

Conversation

@jiri-belka
Copy link
Copy Markdown

@jiri-belka jiri-belka commented May 22, 2026

Hi,
we do not collect config files defined in OpenSSH configuration via `Include'.

Should I loop multiple times for Include ???

An example:

#==[ Configuration File ]===========================#
# /usr/etc/ssh/ssh_config
Include /etc/ssh/ssh_config.d/*.conf
Include /usr/etc/ssh/ssh_config.d/*.conf
Host *
    ForwardX11Trusted yes
    SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    SendEnv LC_IDENTIFICATION LC_ALL
    SendEnv LC_TERMINAL LC_TERMINAL_VERSION
    SendEnv COLORTERM TERM_PROGRAM TERM_PROGRAM_VERSION


#==[ Configuration File ]===========================#
# /etc/ssh/ssh_config - File not found

#==[ Configuration File ]===========================#
# /usr/etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
Include /usr/etc/ssh/sshd_config.d/*.conf
AuthorizedKeysFile      .ssh/authorized_keys
UsePAM yes
X11Forwarding yes
PrintMotd no
Subsystem       sftp    /usr/libexec/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
AcceptEnv LC_TERMINAL LC_TERMINAL_VERSION
AcceptEnv COLORTERM TERM_PROGRAM TERM_PROGRAM_VERSION


#==[ Configuration File ]===========================#
# /etc/ssh/sshd_config - File not found

#==[ Configuration File ]===========================#
# /usr/lib/pam.d/sshd
auth        requisite   pam_nologin.so
auth        substack    common-auth
auth        include     postlogin-auth
account     requisite   pam_nologin.so
account     substack    common-account
account     include     postlogin-account
password    substack    common-password
password    include     postlogin-password
session     required    pam_loginuid.so
session     optional    pam_keyinit.so   force revoke
session     substack    common-session
session     include     postlogin-session
session     optional    pam_motd.so


#==[ Configuration File ]===========================#
# /etc/pam.d/sshd - File not found

#==[ Configuration File ]===========================#
# /etc/ssh/ssh_config.d/50-suse.conf
Match final all
        Include /etc/crypto-policies/back-ends/openssh.config


#==[ Configuration File ]===========================#
# /etc/ssh/sshd_config.d/99-krb5.conf
GSSAPIAuthentication yes
KerberosUniqueCCache yes


#==[ Configuration File ]===========================#
# /etc/ssh/sshd_config.d/99-root-ok.conf
PermitRootLogin yes


#==[ Configuration File ]===========================#
# /etc/ssh/sshd_config.d/99-test.conf
LogLevel DEBUG3


#==[ Configuration File ]===========================#
# /usr/etc/ssh/sshd_config.d/40-suse-crypto-policies.conf
Include /etc/crypto-policies/back-ends/opensshserver.config

wtmpx and others added 28 commits December 22, 2025 05:01
@wtmpx
Update supportconfig - add note about bpftool (openSUSE#285)
29cd3a1 
* Update supportconfig - add note about bpftool

I noticed in SLE 16 the bpftool is not in enhnaced_base. But since we ship out-of-the-box bpf programs and these will be displayed in supportconfig, let us add hint in case bpftool not installed.

* Update supportconfig

Changed the lines as requested.
@g23guy
Updated README.md with branch info
ca4312b
@g23guy
Updated change log explain difference between 3.2.12.1 and 3.1.12.2
a2cf0c9
@g23guy
Added /boot/grub2/grubenv bsc#1257383
855b44a
@wtmpx
Verify procps pkg
b838dd6 
Let us verify procps pkg because it contains important binaries. 
E.g., /sbin/sysctl
@g23guy
Merge pull request openSUSE#293 from wtmpx/patch-16
941d21e 
Verify procps pkg
@g23guy
Merge branch 'openSUSE:dev' into dev
0500ab5
@barbecued
Added systemd cat unit*service output. This allows ease of use when d…
fac66de 
…etermining systemd unit files AND the drop-in files are included after the unit file if they exist
@barbecued
changed lsinitrd to use path /boot/initrd instead of running kernel
89b34d3
@Thr3d
Update README.md
1251fda
@Thr3d
Merge pull request openSUSE#292 from g23guy/dev
09c4af2 
Minor changes
@Thr3d
Check for /usr/lib/pam.d
bd75efa 
Check for /usr/lib/pam.d
@Thr3d
Ignore deprecated crash variable message
5b6a456
@Thr3d
Move warning to visible place at top
64c697d
@Thr3d
Move into SYSTEMCTL_BIN logic and match similar commands
677e109
@Thr3d
drop in a license file
304aba3
@g23guy
Merge pull request openSUSE#297 from Thr3d/crash
cdcf232 
Ignore deprecated crash variable message
@g23guy
Merge pull request openSUSE#296 from Thr3d/sle16pam
5d4e6c4 
Check for /usr/lib/pam.d
@g23guy
Added softirqs to proc bsc#1258069
7c281f0
@Thr3d
Merge pull request openSUSE#298 from g23guy/1258069-softirq
ae4b6cc 
Added softirqs to proc bsc#1258069
@barbecued
Merge branch 'dev' into dev-1
5b30894
@g23guy
Update supportconfig
e724650 
Removed comment
@g23guy
Merge pull request openSUSE#294 from barbecued/dev-1
0865970 
Added systemd cat unit.service output
@Thr3d
ha.txt: Collect hacluster passwd entry
765c52a
@g23guy
Merge pull request openSUSE#299 from Thr3d/ha-auth
b286692 
ha.txt: Collect hacluster passwd entry
@wtmpx
Sanitize env.txt (openSUSE#301)
3d1bfd9 
I noticed in recent supportconfig I got, that env.txt contains credential information about the proxy if used: 

scc_aas15sp7_260326_1156/env.txt:https_proxy=http://MY_USER:MY_PASSWORD@172.20.1.32:8080
scc_aas15sp7_260326_1156/env.txt:http_proxy=http://MY_USER:MY_PASSWORD@172.20.1.32:8080
scc_aas15sp7_260326_1156/env.txt:ftp_proxy=http://MY_USER:MY_PASSWORD@172.20.1.32:8080
scc_aas15sp7_260326_1156/sysconfig.txt:HTTP_PROXY="http://*REMOVED BY SUPPORTCONFIG*@172.20.1.32:8080"
scc_aas15sp7_260326_1156/sysconfig.txt:HTTPS_PROXY="http://*REMOVED BY SUPPORTCONFIG*@172.20.1.32:8080"
scc_aas15sp7_260326_1156/sysconfig.txt:FTP_PROXY="http://*REMOVED BY SUPPORTCONFIG*@172.20.1.32:8080"

To reproduce: add something to sysconfig/proxy and run: supportconfig -m -i SYSCONFIG,ENV 
the data in sysconfig.txt is removed, but env contains the username/password. 

Also I noticed with: supportconfig -m it doesn't include env.txt
@pinaronald
Integrate supportutils-scrub for data obfuscation (openSUSE#302)
e5bc083
@jiri-belka
add collection of OpenSSH Include config files
c973e24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@jiri-belka @wtmpx @g23guy @barbecued @Thr3d @pinaronald