allow-ssh.inc: allow /etc/ssh/ssh_config

This is the system-wide equivalent of ~/.ssh/config. $ pacman -Q openssh openssh 8.4p1-2 Reasons for blacklisting both /etc/ssh and /etc/ssh/* on disable-common.inc: Leave /etc/ssh that way so that profiles without allow-ssh.inc remain unable to see inside of /etc/ssh. And blacklist /etc/ssh/* so that profiles with allow-ssh.inc are able to access only nonblacklisted files inside of /etc/ssh.
kmk3 · Jan 27, 2021 · 3849e12 · 3849e12
1 parent 83ac023
commit 3849e12
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 2 deletions.
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
@@ -3,3 +3,5 @@
 include allow-ssh.local
 
 noblacklist ${HOME}/.ssh
+noblacklist /etc/ssh
+noblacklist /etc/ssh/ssh_config
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
@@ -396,6 +396,7 @@ blacklist /etc/shadow
 blacklist /etc/shadow+
 blacklist /etc/shadow-
 blacklist /etc/ssh
+blacklist /etc/ssh/*
 blacklist /home/.ecryptfs
 blacklist /home/.fscrypt
 blacklist /var/backup

diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
@@ -6,7 +6,7 @@ include ssh-agent.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /etc/ssh
+noblacklist /etc/ssh/*
 noblacklist /tmp/ssh-*
 
 # Allow ssh (blacklisted by disable-common.inc)

diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
@@ -7,7 +7,7 @@ include ssh.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /etc/ssh
+noblacklist /etc/ssh/*
 noblacklist /tmp/ssh-*
 # nc can be used as ProxyCommand, e.g. when using tor
 noblacklist ${PATH}/nc