[tclug-list] Implementation of OpenSSH across platforms (and versions)

Tue Mar 15 12:56:55 CST 2005

"I've taken the stance that it's not good business practice to build
a single sshd_config file for all platforms.  Instead, I'm proposing
one sshd_config per platform."

If you have shared config elements that span across all of the
platforms, then it makes sense to template the commonalities. Otherwise
if they are different enough then treat them all separately.

Let's say you have the same LoginGraceTime value for each platform. You
would change one file that would then generate all of your configs with
the same value.

Source file:

LoginGraceTime 600
PermitRootLogin no

Target template 1:

LoginGraceTime [% logingracetime %]
PermitRootLogin [% permitrootlogin %]
MyOSSpecificStanza1 MyOSSpecificValue1

Target template 2:

LoginGraceTime [% logingracetime %]
PermitRootLogin [% permitrootlogin %]
MyOSSpecificStanza2 MyOSSpecificValue2

Target template 3:

LoginGraceTime 300
PermitRootLogin yes
MyOSSpecificStanza1 MyOSSpecificValue1

This is a way to reduce human error, and is useful when you have large
numbers of machines to update. The whole thing can be scripted and
forgotten about. We generate our Apache configs in this fashion.

If you have a small number of machines, then this approach is not the
most efficient method.

torleiv

what you said

> On Tue, 15 Mar 2005 10:14:28 -0800 (PST), Torleiv Flatebo Ringer
> <ringert at consumption.net> wrote:
> > It may be easier if you templated the different configs for each
> > platform, and use a source file for the elements that you need to appear
> > in the various sshd_config files.
> >
> > Then you have the ability to "forget" the syntax of each platform.
> >
> > I have used Template::Toolkit for a variety of tasks. It's pretty easy
> > to use.
>
> I'm not familiar with what you're proposing, but how is that easier
> than editing 5 lines in an existing sshd_config file and propogating
> it across the systems in the same platform?
>
> Granted, this would have to be done on a platform by platform basis,
> but IMO I think it's easier to modify/config that way.
>
> Any other thoughts?
>
>
>

-- 
One of the symptoms of an approaching nervous breakdown is the belief
that one's work is terribly important.
	Don't be so confident - you are not that great.