Openssh Is Locally Modified After clan Rebuild
After rebuild with ubuntu 23.04 and "apt upgrade", a "dialogue" says that the openssh config file has been locally modified.
This is a problem if you want to run an uninterrupted setup script.
To reproduce, rebuild clean ubuntu 23.04, then
apt update
apt upgrade
The "dialogue":
-------------------- Configuring openssh-server -------------------
| A new version (/tmp/tmp.ZTNrbA2fFd) of configuration file
| /etc/ssh/sshd_config is available, but the version installed currently
| has been locally modified.
|
| What do you want to do about modified configuration file sshd_config?
|
| install the package maintainer's version
| keep the local version currently installed
| show the differences between the versions
| show a side-by-side difference between the versions
| show a 3-way difference between available versions
| do a 3-way merge between available versions
| start a new shell to examine the situation
|
| <ok>
1 Reply
jhartman
Linode Staff
This took quite a bit of trial and error to fully iron out the kinks but I think I got it. When you are updating a freshly deployed Ubuntu 23 Linode, it will create interactive prompts for not only OpenSSH but it will also prompt you to reboot after it upgrades the kernel version.
Disable Interactive Menu - OpenSSH:
In order to prevent OpenSSH from upgrading, you can include the following lines in your script:
apt-mark hold openssh-client openssh-server openssh-sftp-server
Please keep in mind that it can create a security risk if you do not eventually update OpenSSH since the apt-mark hold is persistent through multiple upgrades.
To remove the hold, either run the command or include this line in your script after apt upgrade:
apt-mark unhold openssh-client openssh-server openssh-sftp-server
Disable Kernel Restart Message:
The interactive popups for your kernel upgrade are triggered by the configuration specified by a preinstalled Ubuntu app called needRestart. You can upgrade your kernel without receiving "Restart Needed" messages by creating an overwrite file as such:
touch /etc/needrestart/conf.d/disable.conf
Followed by the command:
tee -a /etc/needrestart/conf.d/disable.conf<<EOF
# Restart services (l)ist only, (i)nteractive or (a)utomatically.
$nrconf{restart} = 'l';
# Disable hints on pending kernel upgrades.
$nrconf{kernelhints} = 0;
EOF
That will set NeedRestart to "Listen-only" mode which allows you to upgrade without the popup that disrupts your scripting.
Putting it all together:
Your script will vary by your desired server outcome, but I created a simple Bash script that will:
- Hold OpenSSH upgrades
- Disable the Kernel Message
- Update & Upgrade the server
- Remove OpenSSH from hold so that it upgrades in the future
#!/bin/bash
apt update
apt-mark hold openssh-client openssh-server openssh-sftp-server
touch /etc/needrestart/conf.d/disable.conf
tee -a /etc/needrestart/conf.d/disable.conf<<EOF
# Restart services (l)ist only, (i)nteractive or (a)utomatically.
$nrconf{restart} = 'l';
# Disable hints on pending kernel upgrades.
$nrconf{kernelhints} = 0;
EOF
apt upgrade -yqq
apt-mark unhold openssh-client openssh-server openssh-sftp-server