b/recipes-connectivity/openssh/files/sshd_config
deleted file mode 100644
@@ -1,118 +0,0 @@
-# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
-
-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options override the
-# default value.
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and
.ssh/authorized_keys2
-# but this is overridden so installations will only check
.ssh/authorized_keys
-#AuthorizedKeysFile .ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication. Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-#PermitUserEnvironment no
-Compression no
-ClientAliveInterval 15
-ClientAliveCountMax 4
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# override default of no subsystems
-Subsystem sftp /usr/libexec/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-# X11Forwarding no
-# AllowTcpForwarding no
-# PermitTTY no
-# ForceCommand cvs server
a/recipes-connectivity/openssh/files/sshd_config.d/50-selinux.conf
b/recipes-connectivity/openssh/files/sshd_config.d/50-selinux.conf
new file mode 100644
@@ -0,0 +1,15 @@
+# 50-selinux.conf
+#
+# SELinux-specific SSHD configuration overrides
+# Managed by the meta-selinux layer in OpenEmbedded
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
Config snippets should be used over file overrides since targeted changes may be required in multiple recipes. Since the oe-core sshd_config file now includes /etc/ssh/sshd_config.d/*.conf, the meta-selinux configuration snippet does not require the following: * ChallengeResponseAutnetication: Replaced by KbdInteractiveAuthentication and set to "no" by default * Override default of no subsystems: This is already present * Compression, ClientAliveInterval, and ClientAliveCountMax: No changes required due to identical requirements of meta-selinux Suggested-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> Signed-off-by: Levi Shafter <levi.shafter@elder-tomes.com> --- Sponsor: 21SoftWare LLC Note: I am particularly interested in feedback regarding the naming of the snippet. Since the only difference in requirements between oe-core and meta-selinux is the fact that meta-selinux must have PAM authentication enabled, I simply named it "selinux" in case future configuration is required. However, this file name could be renamed in this case, and one could argue that it would be better to specify what the snippet actually does in its title. Additionally, I was unsure which load-order prefix to give this snippet. I stuck with a perfectly balanced 50, but I encourage feedback if you might have a good reason to change this. .../openssh/files/sshd_config | 118 ------------------ .../files/sshd_config.d/50-selinux.conf | 15 +++ 2 files changed, 15 insertions(+), 118 deletions(-) delete mode 100644 recipes-connectivity/openssh/files/sshd_config create mode 100644 recipes-connectivity/openssh/files/sshd_config.d/50-selinux.conf