修改/etc/ssh/moduli后我应该保留openssh包吗?

修改/etc/ssh/moduli后我应该保留openssh包吗?

具体来说,我在两台机器上都安装了 OpenSSH:

  • GNU/Linux Debian 9.3 与 OpenSSH 版本1:7.4p1-10+deb9u2

  • Linux Mint 18.3 与 OpenSSH 版本1:7.2p2-4ubuntu2.4

在这个问题中,我读到以下文件是随 OpenSSH 源代码一起分发的:

/etc/ssh/moduli

大概与包裹一起。我的假设是否正确,如果我更改文件以获得弱尺寸,并且如果我不保留openssh-server和/或openssh-client包,则该文件将被下一个版本更新覆盖?

如果可以的话,我可以把单个文件放在等候接听不知何故?


我做了以下事情:

  1. 备份文件:

    mv /etc/ssh/moduli /etc/ssh/moduli.bak
    
  2. 过滤掉小于 4095 的尺寸:

    awk '$5 >= 4095' /etc/ssh/moduli.bak > /etc/ssh/moduli
    

答案1

这取决于您的操作系统。类似 Debian 的系统(“类似”Ubuntu)肯定会询问您如何处理该文件:

Configuration file `/etc/ssh/moduli'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** moduli (Y/I/N/O/D/Z) [default=N] ?

答案2

RedHat 系统将该文件标记为配置并且noreplace

$ cd
$ yumdownloader --source openssh
$ rpm -i openssh-7.4p1-13.el7_4.src.rpm
$ grep /moduli rpmbuild/SPECS/openssh.spec | head -1
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli

所以不会破坏任何本地更改。软件包更新将安装为/etc/ssh/moduli.rpmnew,管理员可能需要对其与自定义更新进行审查。

但请注意以下警告ssh-keygen(1)

 Screened DH groups may be installed in /etc/moduli.  It is important that
 this file contains moduli of a range of bit lengths and that both ends of
 a connection share common moduli.

相关内容