Why the need for two sshd_configs?


I was trying to disable root login with SSH; I edited the config and PermitRootLogin no, restarted SSH, but no luck; I just noticed it has Include /etc/ssh/sshd_config.d/*.conf

Which has the file dietpi.conf

Added by DietPi:

PasswordAuthentication yes
PermitRootLogin yes

Why did DietPI add its own when /etc/ssh/sshd_config has the same settings?


I recently learned why this is needed, the hard way.
Not limited to dietpi, this is just a better way to set linux configs permanently.
Editing any preexisting file under /etc/ could cause something called “ucf pain”.

It starts with installing a software package. In your case the package openssh-server.
The package provides it’s configuration files under /etc/.
You then edit those files, to make the system do what you want.
Next you or automated job, updates the system. Installs a new version of that package.
New version of package comes with new version of config files. Some options could be renamed, other deprecated, defaults could change.
The package wants to update the config to work with the new version,
the user wants to keep his changes, so upgrading doesn’t break stuff.
We have a conflict!

Original solution to this is ucf. you can run “man ucf”.
The upgrade process depends on the user to resolve the conflict.

It’s called ucf pain.
At the best, just being asked what to do every time you upgrade gets annoying.
Or at the worst, you can’t resolve the conflict because you’re managing a fleet of systems with ansible.

Recently this was miraculously fixed with /etc/config_name.d/ directories.
You can put your option overrides there, and leave the package’s config untouched.
Your upgrade process will never be interrupted because of an ucf question.
And mashing “yes” to every question without reading, doesn’t run the risk of breaking what you have set up.

Also note that since DietPi has created /etc/ssh/sshd_config.d/dietpi.conf
Some Dietpi package can override that file when, dietpi developers want to change their overrides.
If you want to permanently override DietPi’s overrides, add your own file there, and make sure that it’s ordered after dietpi.conf when sorted alphabetically. (Include ordering)
Dietpi would be even wiser to call it’s config 40_dietpi.conf. So this ordering can be controlled with a number.

DietPi wants a permanent setting, that doesn’t bother you with ucf questions.
And you probably want that too.

Basically using a .d/ configuration is a common way to set own config options without touching the default config file. Because default files could be overwritten by a package update process and own configuration set, would be lost.