allow-ssh.inc: allow /etc/ssh/ssh_config

This is the system-wide equivalent of ~/.ssh/config.

    $ pacman -Q openssh
    openssh 8.4p1-2

Reasons for blacklisting both /etc/ssh and /etc/ssh/* on
disable-common.inc:

Leave /etc/ssh that way so that profiles without allow-ssh.inc remain
unable to see inside of /etc/ssh.  And blacklist /etc/ssh/* so that
profiles with allow-ssh.inc are able to access only nonblacklisted files
inside of /etc/ssh.

4 files changed, 5 insertions, 2 deletions

diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index 2e864ad64..48b1f91ba 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -3,3 +3,5 @@
 include allow-ssh.local
 
 noblacklist ${HOME}/.ssh
+noblacklist /etc/ssh
+noblacklist /etc/ssh/ssh_config
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index eeafe3ec4..e1c930b43 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -396,6 +396,7 @@ blacklist /etc/shadow
 blacklist /etc/shadow+
 blacklist /etc/shadow-
 blacklist /etc/ssh
+blacklist /etc/ssh/*
 blacklist /home/.ecryptfs
 blacklist /home/.fscrypt
 blacklist /var/backup
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index d2e2b3408..0b7caed7d 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -6,7 +6,7 @@ include ssh-agent.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /etc/ssh
+noblacklist /etc/ssh/*
 noblacklist /tmp/ssh-*
 
 # Allow ssh (blacklisted by disable-common.inc)
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index efdf63976..eb7bc3ec5 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -7,7 +7,7 @@ include ssh.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /etc/ssh
+noblacklist /etc/ssh/*
 noblacklist /tmp/ssh-*
 # nc can be used as ProxyCommand, e.g. when using tor
 noblacklist ${PATH}/nc