Deprecated option UsePrivilegeSeparation

[laurentL]

Hi,
https://www.openssh.com/releasenotes.html
OpenSSH 7.5/7.5p1 (2017-03-20)
This release includes a number of changes that may affect existing
configurations:

• This release deprecates the sshd_config UsePrivilegeSeparation
  option, thereby making privilege separation mandatory. Privilege
  separation has been on by default for almost 15 years and
  sandboxing has been on by default for almost the last five.

UsePrivilegeSeparation must be remove,
Impact: impossible to start sshd

[myii]

@laurentL Apologies for the delay, just a quick response here.

https://github.com/saltstack-formulas/openssh-formula/search?q=UsePrivilegeSeparation&unscoped_q=UsePrivilegeSeparation

• It should be possible to change the value of UsePrivilegeSeparation for the time being.

As for the longer term, then we can look at how to remove it without affecting those using older versions of OpenSSH.

[alxwr]

UsePrivilegeSeparation has been an opt-in for quite some time now.

openssh-formula/openssh/files/default/sshd_config

Line 90 in 3d2442f

{{- option('UsePrivilegeSeparation') -}}

Unless the administrator explicitly enables it, there is no impact at all.

I agree that we could just remove UsePrivilegeSeparation from this formula.

If existing Pillar data requires it, It will still work via

openssh-formula/openssh/files/default/sshd_config

Line 204 in 3d2442f

{#- Handling unknown in salt template options -#}

.

I opened a PR.