Parameterize SSH client configuration paths via product properties (preserve defaults)#14449
Merged
dodys merged 5 commits intoComplianceAsCode:masterfrom Mar 12, 2026
Merged
Conversation
Smouhoune
requested review from
Mab879,
ggbecker,
jan-cerny,
marcusburghardt and
vojtapolasek
as code owners
|
Hi @Smouhoune. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Smouhoune
force-pushed
the
feat/ssh-client-path-overrides
branch
from
a875c67 to
1ef0ca0
Compare
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy
@@ -4,7 +4,7 @@
[description]:
Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client.
-To override the system wide crypto policy for Openssh client, place a file in the /etc/ssh/ssh_config.d/ so that it is loaded before the 05-redhat.conf. In this case it is file named 02-ospp.conf containing parameters which need to be changed with respect to the crypto policy.
+To override the system wide crypto policy for Openssh client, place a file in the /etc/ssh/ssh_config.d directory so that it is loaded before the 05-redhat.conf. In this case it is the /etc/ssh/ssh_config.d/02-ospp.conf file containing parameters which need to be changed with respect to the crypto policy.
This rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy.
During the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.
bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy
@@ -1,5 +1,6 @@
#the file starts with 02 so that it is loaded before the 05-redhat.conf which activates configuration provided by system vide crypto policy
+
file="/etc/ssh/ssh_config.d/02-ospp.conf"
echo -e "Match final all\n\
RekeyLimit 512M 1h\n\
bash remediation for rule 'xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit
+++ xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit
@@ -1,8 +1,6 @@
var_ssh_client_rekey_limit_size=''
var_ssh_client_rekey_limit_time=''
-
-
main_config="/etc/ssh/ssh_config"
include_directory="/etc/ssh/ssh_config.d"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit
+++ xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit
@@ -26,7 +26,7 @@
- name: Collect all include config files for ssh client which configure RekeyLimit
ansible.builtin.find:
- paths: /etc/ssh/ssh_config.d/
+ paths: /etc/ssh/ssh_config.d
contains: ^[\s]*RekeyLimit.*$
patterns: '*.config'
register: ssh_config_include_files |
Smouhoune
force-pushed
the
feat/ssh-client-path-overrides
branch
3 times, most recently
from
01bbd1d to
27a8c9c
Compare
Contributor
Author
Contributor
Author
Mab879
reviewed
Feb 27, 2026
| {{%- if product == 'ubuntu2404' %}} | ||
| {{%- set ssh_approved_ciphers = "aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr" %}} | ||
| {{%- endif %}} | ||
| {{% set sshc_main_config = ssh_client_main_config_file %}} |
Member
There was a problem hiding this comment.
Suggested change
| {{% set sshc_main_config = ssh_client_main_config_file %}} | |
| {{%- set sshc_main_config = ssh_client_main_config_file -%}} |
| @@ -1,10 +1,12 @@ | |||
| documentation_complete: true | |||
| {{% set sshc_main_config = ssh_client_main_config_file %}} | |||
| {{% set sshc_config_dir = ssh_client_config_dir %}} | |||
Member
There was a problem hiding this comment.
Suggested change
| {{% set sshc_config_dir = ssh_client_config_dir %}} | |
| {{%- set sshc_config_dir = ssh_client_config_dir -%}} |
Smouhoune
force-pushed
the
feat/ssh-client-path-overrides
branch
from
77b4c76 to
5892fd6
Compare
Mab879
approved these changes
Mar 6, 2026
Mab879
requested changes
Mar 9, 2026
Member
Mab879
left a comment
Mab879
left a comment
There was a problem hiding this comment.
Looks like this now needs a rebase.
… path Avoid Jinja whitespace trimming that concatenated a comment and the file assignment in harden_ssh_client_crypto_policy Bash remediation. This keeps 'file=...' on its own line and fixes shellcheck SC2154 in generated fixes.
Update product stability references for ssh client path properties and fix Jinja whitespace trimming in the Ubuntu bash remediation template.\n\nThe template change preserves the newline between variable assignments in the generated shell script and avoids shellcheck failures.
…e metadata Apply whitespace-trim Jinja delimiters in SSH client rule YAML metadata where it is formatting-only and does not affect rendered remediation script behavior. Changes: - linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml - linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml No functional changes intended; this is a style/alignment update per review feedback.
Smouhoune
force-pushed
the
feat/ssh-client-path-overrides
branch
from
5892fd6 to
33824ed
Compare
Contributor
Author
Mab879
approved these changes
Mar 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
- Add product-overridable SSH client path properties:
-
ssh_client_main_config_file-
ssh_client_config_dir- Add backward-compatible defaults in core product property resolution:
-
ssh_client_main_config_file=/etc/ssh/ssh_config-
ssh_client_config_dir=/etc/ssh/ssh_config.d- Replace hardcoded SSH client paths in the following rules and their checks/remediations:
-
ssh_client_rekey_limit-
ssh_client_use_approved_ciphers_ordered_stig-
ssh_use_approved_macs_ordered_stig-
harden_ssh_client_crypto_policy#### Rationale:
- These rules currently hardcode SSH client config paths (
/etc/ssh/ssh_config*), which prevents clean reuse on products that place OpenSSH client configuration elsewhere.- This PR makes path handling product-driven while preserving existing behavior for current products through explicit defaults.
- Rule intent and security logic are unchanged; only path parameterization was introduced.
#### Review Hints:
- Suggested review order:
1.
core(ssg): add product-overridable SSH client path properties2.
rules(ssh_client): replace hardcoded ssh client paths with product properties- Scope is intentionally limited to SSH client path parameterization in the four rules above.
- No rule was removed/disabled.
- Backward compatibility:
- Products without overrides continue to use
/etc/ssh/ssh_configand/etc/ssh/ssh_config.d.- Local validation performed:
-
./build_product --datastream-only rhel9-
./build_product --datastream-only ubuntu2204-
ctest -R 'validate-ssg-ubuntu2204-ds.xml' --output-on-failure