ssh: deny access to the rest of /etc/ssh/*

ssh_config (allowed on allow-ssh.inc) is the only file in /etc/ssh that
is used by ssh(1).  The other paths are only used by sshd(8), so stop
allowing them on ssh.profile and ssh-agent.profile.  Path examples from
sshd(8):

* /etc/ssh/moduli
* /etc/ssh/ssh_host_ecdsa_key
* /etc/ssh/ssh_host_ecdsa_key.pub
* /etc/ssh/ssh_known_hosts
* /etc/ssh/sshd_config
* /etc/ssh/sshrc

    $ pacman -Q openssh
    openssh 8.4p1-2

2 files changed, 0 insertions, 2 deletions

diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 0b7caed7d..60c7b510c 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -6,7 +6,6 @@ include ssh-agent.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /etc/ssh/*
 noblacklist /tmp/ssh-*
 
 # Allow ssh (blacklisted by disable-common.inc)
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index eb7bc3ec5..3ddd96df4 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -7,7 +7,6 @@ include ssh.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /etc/ssh/*
 noblacklist /tmp/ssh-*
 # nc can be used as ProxyCommand, e.g. when using tor
 noblacklist ${PATH}/nc