How to configure ssh

rubilavp · November 23, 2023, 11:22am

Hello!

What is the current recommended way to configure sshd on ubuntu core? We have some settings that we need sshd to apply on startup and potentially change during runtime.

Is there anything on your backlog to set configuration through snapd system options perhaps?

Thanks,

Rubila

ogra · November 23, 2023, 1:17pm

The only options currently are to disable sshd completely or to set the port:

rubilavp · November 27, 2023, 1:57pm

Thanks @ogra I am aware of these settings, but they are not what I want.

Let’s say you had to do some ssh configuration beyond these 2 settings, how would you do it? Is there a best practice? Or will snapcraft in future introduce a way to be able to configure ssh?

Thanks,

Rubila

ogra · November 28, 2023, 8:59am

You could perhaps try to create an sshd snap (not sure there are sufficient interfaces to get this working though, you got to try) and completely disable the one on the system …

and alternatively you could open a PR to snapd to support actual options to be added to the system for setting sshd configs, but that will likely be a long winded process to get it past the architects …

zeyad.gouda · November 30, 2023, 7:07am

Hi @rubilavp,

Could please explain what/why do you need to configure sshd, and perhaps even an small example of what you have in mind?

stuart-warren · November 30, 2023, 2:47pm

The end goal is to enable ssh certificates but any custom config would be ideal

Currently we think we need to use system-files and process-control to add extra config file to /etc/ssh/ssh_config.d.

even if the content was similar to

Include /snap/my-config-snap/current/ssh/sshd_config.d/*.conf

and then reload the ssh daemon on any file change

zeyad.gouda · December 1, 2023, 8:12am

If configs need to change during runtime, then yes this might be the only way to go.

osteenbergen · December 20, 2023, 10:52am

Hi, have the same issue after https://terrapin-attack.com/. Need to configure the ciphers (and possibly other security settings) and then reload sshd on Core 16 and 20 devices. Manual configuration via root user is possible, but doesn’t scale to 1000s of devices. Not all devices have a gadget snap we control, so can’t use that to add the file to the writable partition.

Did anyone find a solution or manage to roll their own sshd snap?

ogra · December 20, 2023, 11:01am

Looks to me like this has been handled in the core(18|20|22) snaps already…

https://ubuntu.com/security/notices/USN-6561-1

(Though not sure when exactly it will make it to the stable channel, probably not before Christmas)

osteenbergen · December 20, 2023, 12:31pm

Well we are still waiting on newer core version for the Dell Gateway 3002 for the past two months. As this is an exposed network service I want to be able to control it myself and adhere to security requirements and SLAs.