fixes for ssh

After seeing https://github.com/netblue30/firejail/commit/9a81078ddbbb4215d06f7d1861481ece05ebda99 it dawned on me that Arch Linux doesn't have /usr/lib/openssh, but uses /usr/lib/ssh instead. That's a different path than what's referenced in our current {allow-ssh,disable-common}.inc files. Some very superficial checks revealed that OpenSSH seems to be packaged quite differently, at least on Debian/Ubuntu and Arch Linux. And then there's version differences on non-rolling distro's to consider. All in all IMO it makes more sense to (no)blacklist /usr/lib/openssh and /usr/lib/ssh instead of referencing all the possible individual files that live under those paths.

1 files changed, 5 insertions, 2 deletions

diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index a78798a18..8995e5a74 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -5,6 +5,9 @@ include allow-ssh.local
 noblacklist ${HOME}/.ssh
 noblacklist /etc/ssh
 noblacklist /etc/ssh/ssh_config
-noblacklist /tmp/ssh-*
 noblacklist ${PATH}/ssh
-noblacklist /usr/lib/openssh/ssh-keysign
+noblacklist /tmp/ssh-*
+# Debian/Ubuntu and derivatives
+noblacklist /usr/lib/openssh
+# Arch Linux and derivatives
+noblacklist /usr/lib/ssh