[sshd] sshd ignoring /etc/ssh/sshd_config

Development on core packages and the distribution goes on in here.

[sshd] sshd ignoring /etc/ssh/sshd_config

Postby funkyboris » Thu Mar 20, 2014 7:48 pm

Hi

I am having a problem with my sshd daemon. It seems determined to ignore my configuration file altogether.

My setup is this:

Contents of /etc/systemd/system/multi-user.target.wants/sshd.service :
$this->bbcode_second_pass_code('', '
[Unit]
Description=OpenSSH Daemon
Wants=sshdgenkeys.service
After=sshdgenkeys.service
After=network.target

[Service]
ExecStart=/usr/bin/sshd -D -f /etc/ssh/sshd_config
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=always

[Install]
WantedBy=multi-user.target
')

Content of /etc/ssh/sshd_config :
$this->bbcode_second_pass_code('', '
AllowGroups sshusers
PermitRootLogin no
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
UsePAM yes
PrintMotd no
UsePrivilegeSeparation sandbox
Subsystem sftp /usr/lib/ssh/sftp-server
')
which is all vanilla Arch Linux except the first two lines (of which I have already tried removing the first line to no avail).

output of ps aux | grep sshd :
$this->bbcode_second_pass_code('', '
root 279 0.0 0.7 10408 3400 ? Ss 20:05 0:00 sshd: user [priv]
user 286 0.1 0.3 10408 1544 ? S 20:05 0:01 sshd: user@pts/0
root 402 0.0 0.4 6280 2260 ? Ss 20:26 0:00 /usr/bin/sshd -D -f /etc/ssh/sshd_config
user 439 0.0 0.2 4540 948 pts/2 S+ 20:34 0:00 grep sshd
')

Yet the sshd permits password logins with the root user.

I have tried
$this->bbcode_second_pass_code('', '
sudo systemctl daemon-reload
sudo systemctl restart sshd
')
even reboot. No change.

The sshd does understand the config file. Running sudo sshd -t -ddd -e -f /etc/ssh/sshd_config gives me :
$this->bbcode_second_pass_code('', '
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 352
debug2: parse_server_config: config /etc/ssh/sshd_config len 352
debug3: /etc/ssh/sshd_config:19 setting Protocol 2
debug3: /etc/ssh/sshd_config:43 setting AllowGroups sshusers
debug3: /etc/ssh/sshd_config:46 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:57 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: /etc/ssh/sshd_config:79 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:100 setting UsePAM yes
debug3: /etc/ssh/sshd_config:109 setting PrintMotd no
debug3: /etc/ssh/sshd_config:113 setting UsePrivilegeSeparation sandbox
debug3: /etc/ssh/sshd_config:129 setting Subsystem sftp /usr/lib/ssh/sftp-server
debug1: sshd version OpenSSH_6.6, OpenSSL 1.0.1f 6 Jan 2014
debug3: Incorrect RSA1 identifier
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_rsa_key" as a RSA1 public key
debug1: private host key: #0 type 1 RSA
debug3: Incorrect RSA1 identifier
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_dsa_key" as a RSA1 public key
debug1: private host key: #1 type 2 DSA
debug3: Incorrect RSA1 identifier
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type ECDSA
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_ecdsa_key" as a RSA1 public key
debug1: private host key: #2 type 3 ECDSA
debug3: Incorrect RSA1 identifier
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_ed25519_key" as a RSA1 public key
debug1: private host key: #3 type 4 ED25519
')

I am curious. It would seem that it does read and understand the configuration file and just fails to act accordingly - or am I missing something here?

Please let me know if there are any additional details needed in order to properly diagnose the problem.
funkyboris
 
Posts: 8
Joined: Thu Mar 20, 2014 7:20 pm

Re: [sshd] sshd ignoring /etc/ssh/sshd_config

Postby pepedog » Thu Mar 20, 2014 8:38 pm

Don't create thar .service file there, leave the original symlink alone.
Look at this
https://wiki.archlinux.org/index.php/Sy ... unit_files
Only change, or have entries, for things that have changed
pepedog
Developer
 
Posts: 2431
Joined: Mon Jun 07, 2010 3:30 pm
Location: London UK

Re: [sshd] sshd ignoring /etc/ssh/sshd_config

Postby funkyboris » Fri Mar 21, 2014 1:59 pm

$this->bbcode_second_pass_quote('pepedog', 'D')on't create thar .service file there, leave the original symlink alone.
Look at this
https://wiki.archlinux.org/index.php/Sy ... unit_files
Only change, or have entries, for things that have changed


Thank you. While it does provide a valuable lesson on the workings of systemd and how proper customization should be done, it does not really explain or remedy the actual problem here, namely that sshd ignores its designated config file.

I have now reverted to the vanilla .service file. This had the expected effect on the output from ps (now listing the sshd without the -f flag).

The output from sudo sshd -t -ddd -e -f /etc/ssh/sshd_config and sudo sshd -t -ddd -e are exactly the same, which seems to indicate that the manpage is right about the default config file being /etc/ssh/sshd_config. Login as root via ssh is still possible, however.

Any other suggestions?
funkyboris
 
Posts: 8
Joined: Thu Mar 20, 2014 7:20 pm

Re: [sshd] sshd ignoring /etc/ssh/sshd_config

Postby pepedog » Fri Mar 21, 2014 2:08 pm

No suggestions, I would have expected this to work
https://wiki.archlinux.org/index.php/Ssh#Deny_root_login
pepedog
Developer
 
Posts: 2431
Joined: Mon Jun 07, 2010 3:30 pm
Location: London UK

Re: [sshd] sshd ignoring /etc/ssh/sshd_config

Postby funkyboris » Fri Mar 21, 2014 2:49 pm

Right. I now have a confession to make: I did not actually try to complete the login (since my root password is very long, I did not want to type it). I just assumed that getting the pw prompt would let me in if I had the correct password.

After examining journalctl -u sshd i can see a very important difference between before and after the change to the config file.

Before:
$this->bbcode_second_pass_code('', '
sshd[pid]: Failed password for root from x.x.x.x port n
')
After:
$this->bbcode_second_pass_code('', '
sshd[pid]: Failed password for invalid user root from x.x.x.x port n ssh2
')

It would seem that if password authentication is enabled, it is standard behaviour for sshd to prompt for a password, regardless of whether the login has any chance of success - even for non-existing users (tested that as well).

Assumption is indeed the mother of all fsckups. I apologize for wasting your time :)
funkyboris
 
Posts: 8
Joined: Thu Mar 20, 2014 7:20 pm

Re: [sshd] sshd ignoring /etc/ssh/sshd_config

Postby WarheadsSE » Fri Mar 21, 2014 3:06 pm

;)
Core Developer
Remember: Arch Linux ARM is entirely community donation supported!
WarheadsSE
Developer
 
Posts: 6807
Joined: Mon Oct 18, 2010 2:12 pm

Re: [sshd] sshd ignoring /etc/ssh/sshd_config

Postby pepedog » Fri Mar 21, 2014 5:31 pm

I was aboot to post on this too
pepedog
Developer
 
Posts: 2431
Joined: Mon Jun 07, 2010 3:30 pm
Location: London UK


Return to Arch Linux ARM

Who is online

Users browsing this forum: No registered users and 5 guests