While the last blog entries were about cycling, I would like to start with Solaris-centric blog entries as well. My plan is to write without a planned schedule about new features and changes in Solaris 11. As the last blog entries about Solaris 11 features are already a few years old, there are quite a number of changes in Solaris 11. I won’t write a daily article — more like once or twice a week at max probably. Whenever I have time. I don’t want to have it fizzling out again after a month or so —
I would like to start with a simple one. I would call this a very helpful change in the default configuration of Solaris 11. In /etc/ssh/sshd_config and /etc/ssh/ssh_config the last line of the default configuration right out of the package is now an include fetching everything out of a directory. For sshd it includes /etc/ssh/sshd_config.d/*.conf and for ssh it does the same for /etc/ssh/ssh_config.d/*.conf.
This makes the delivery of additional SSH configurations with scripts, packages or your preferred automation framework a little bit easier, because you can just drop some files in those directories.
However, keep in mind:
- The files are included at the end.
- And the include statement of SSH includes the files in lexical order.
For global parameters, OpenSSH only takes the first definition it finds. So the configuration in those included files doesn’t override the configuration in the main configuration file. Perhaps a good idea to prevent for example an admin from dropping a file that allows root logins via SSH via Puppet and ruin your compliance checks. Furthermore, if a value is set in multiple files in that directory, the value in the lexically first file takes precedence over all values.
