Hi Andy, On 02/02/17 11:17, Andy Smith wrote: > > Also through the use of override config files that are included into > the main config file, you can avoid being prompted about changes to > the main config file. For sshd the config directive is "Include". >
Are you sure about this? root@jessie2:/etc/ssh# /usr/sbin/sshd -d /etc/ssh/sshd_config: line 90: Bad configuration option: Include /etc/ssh/sshd_config: terminating, 1 bad configuration options >> What would you consider best practice to keep your ssh hosts (>300) >> in sync wrt the most important config optiones? > > This is a classic use case for configuration management. You define > your configuration externally, in one authoritative place, and the > config management system takes care of applying that config to all > your hosts. Exactly. The central place in my case is a debian source package. It provides binary meta-packages referencing other packages and some /etc/service.d/local.conf files, extending the ususal /etc/service.conf files provided by the service's binary package. Please check the output of "find /etc -name \*.d" on your favorite Debian box to see *how* wide this "Include" approach is in use. You don't even imagine a package not supporting it. Unfortunately openssh-server doesn't. > > Popular examples are Puppet, Ansible and Chef, all of which are > well-supported on Debian. To decide which is best for you will > require some independent research as this is a big topic area and > hard to generalise. > They are supported on Debian, but are they supported *by* Debian as well? Won't I have to expect conflicts with Debian's dpkg infrastructure? Of course I will look into the config management tools you suggested. Thanx very much for your detailed response Harri
