From ca2ab503f42a8446175954e9e7280ecc8e75e927 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 3 Aug 2020 18:38:55 +0200
Subject: ssh: T1076: make configuration volatile

Move sshd_config file to /run so it must be generated on every boot and is
not stored accidently.
---
 data/templates/ssh/override.conf.tmpl | 3 ++-
 src/conf_mode/ssh.py                  | 4 +++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/data/templates/ssh/override.conf.tmpl b/data/templates/ssh/override.conf.tmpl
index 4276366ae..843aa927b 100644
--- a/data/templates/ssh/override.conf.tmpl
+++ b/data/templates/ssh/override.conf.tmpl
@@ -2,9 +2,10 @@
 [Unit]
 StartLimitIntervalSec=0
 After=vyos-router.service
+ConditionPathExists={{config_file}}
 
 [Service]
 ExecStart=
-ExecStart={{vrf_command}}/usr/sbin/sshd -D $SSHD_OPTS
+ExecStart={{vrf_command}}/usr/sbin/sshd -f {{config_file}} -D $SSHD_OPTS
 RestartSec=10
 
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py
index ffb0b700d..7b262565a 100755
--- a/src/conf_mode/ssh.py
+++ b/src/conf_mode/ssh.py
@@ -28,7 +28,7 @@ from vyos.xml import defaults
 from vyos import airbag
 airbag.enable()
 
-config_file = r'/etc/ssh/sshd_config'
+config_file = r'/run/ssh/sshd_config'
 systemd_override = r'/etc/systemd/system/ssh.service.d/override.conf'
 
 def get_config():
@@ -42,6 +42,8 @@ def get_config():
     # options which we need to update into the dictionary retrived.
     default_values = defaults(base)
     ssh = dict_merge(default_values, ssh)
+    # pass config file path - used in override template
+    ssh['config_file'] = config_file
 
     return ssh
 
-- 
cgit v1.2.3