具体来说,我在两台机器上都安装了 OpenSSH:
GNU/Linux Debian 9.3 与 OpenSSH 版本
1:7.4p1-10+deb9u2
Linux Mint 18.3 与 OpenSSH 版本
1:7.2p2-4ubuntu2.4
在这个问题中,我读到以下文件是随 OpenSSH 源代码一起分发的:
/etc/ssh/moduli
大概与包裹一起。我的假设是否正确,如果我更改文件以获得弱尺寸,并且如果我不保留openssh-server
和/或openssh-client
包,则该文件将被下一个版本更新覆盖?
如果可以的话,我可以把单个文件放在等候接听不知何故?
我做了以下事情:
备份文件:
mv /etc/ssh/moduli /etc/ssh/moduli.bak
过滤掉小于 4095 的尺寸:
awk '$5 >= 4095' /etc/ssh/moduli.bak > /etc/ssh/moduli
答案1
这取决于您的操作系统。类似 Debian 的系统(“类似”Ubuntu)肯定会询问您如何处理该文件:
Configuration file `/etc/ssh/moduli'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** moduli (Y/I/N/O/D/Z) [default=N] ?
答案2
RedHat 系统将该文件标记为配置并且noreplace
:
$ cd
$ yumdownloader --source openssh
$ rpm -i openssh-7.4p1-13.el7_4.src.rpm
$ grep /moduli rpmbuild/SPECS/openssh.spec | head -1
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
所以不会破坏任何本地更改。软件包更新将安装为/etc/ssh/moduli.rpmnew
,管理员可能需要对其与自定义更新进行审查。
但请注意以下警告ssh-keygen(1)
:
Screened DH groups may be installed in /etc/moduli. It is important that
this file contains moduli of a range of bit lengths and that both ends of
a connection share common moduli.