You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When running the section5 SSH tasks, the sshd configuration file is not validated. The ssh daemon may not be restarted, because not all tasks contain the notify statement and the error remains silently in the configuration file.
This can cause, that sshd configuration file is misconfigured and ssh daemon will not start after system restart.
This is major issue, since the administrator has to log into the machine via single user mode, serial console or another type of alternative access to fix the misconfigured file. This happened to me today on GCP platform, where the end of the SSH file is by default configured properly, but if another line is added to it, it breaks the syntax.
Example of valid ending of SSH config file:
# Create chrooted directory
Match Group scponly
ChrootDirectory %h
passwordAuthentication yes
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
By adding for example line PermitUserEnvironment no, the Match block is not closed with Match all statement and the configuration file is invalid.
# Create chrooted directory
Match Group scponly
ChrootDirectory %h
passwordAuthentication yes
ForceCommand internal-sftp
AllowTcpForwarding no
PermitUserEnvironment no
Error when running sshd -t:
/etc/ssh/sshd_config line 69: Directive 'PermitUserEnvironment' is not allowed within a Match block.
As remediation I propose:
There should be SSH validation run sshd -t after tasks or in handler
If the validation is run on handler, all tasks, that alter sshd config file should notify for daemon restart.
The text was updated successfully, but these errors were encountered:
When running the section5 SSH tasks, the sshd configuration file is not validated. The ssh daemon may not be restarted, because not all tasks contain the
notifystatement and the error remains silently in the configuration file.This can cause, that sshd configuration file is misconfigured and ssh daemon will not start after system restart.
This is major issue, since the administrator has to log into the machine via single user mode, serial console or another type of alternative access to fix the misconfigured file. This happened to me today on GCP platform, where the end of the SSH file is by default configured properly, but if another line is added to it, it breaks the syntax.
Example of valid ending of SSH config file:
By adding for example line
PermitUserEnvironment no, the Match block is not closed withMatch allstatement and the configuration file is invalid.Error when running
sshd -t:As remediation I propose:
sshd -tafter tasks or in handlerThe text was updated successfully, but these errors were encountered: