Add new user -> sshd_config gets busted!

redunix

Verified User
Joined
Nov 21, 2008
Messages
28
Hello,

On some of our servers where we host directadmin on, Centos 5.4 64bit, Debian 64bit, FC8 64bit, when u add a new user with ssh priviledges it will add it in the /etc/ssh/sshd_config as AllowUsers DAusername.

My problem is that when i add a new user with ssh access DA adds it to the sshd_conf but deletes all the other AllowUsers. This is happening since a week ago or something. I see this on some servers but not on all the servers.

What can i do to solve this? All DA servers are up to date.
 
Hello,

I'm not too sure. When adding a User with ssh access, the /etc/sshd_config is only opened in "append" mode by DA. This means that the system only lets DA add data to the end of the file, making it impossible (theoretically) for any existing data to be removed.

The removal process is different. DA will go through each line and rewrite each line if it doesn't match what DA is looking for... but as you say, this only happens when adding a User, so isn't likely related.

Also, the sshd add/remove code hasn't been touched for ages, so I'm not sure it would be related to a code issue.

My guess at this time would be a binary issue. For one, we don't support Fedora 8 64-bit.. so whichever binaries you're using for it were not designed for it.

Can you check the compiled OS for the binaries you're using? Make sure they're for the OS you're using.
Code:
cd /usr/local/directadmin
./directadmin o
As for a solution ... if it's not a wrong binary, then I'm not sure what it would be. One workaround (doesn't fix the problem, just skips around it) would be to use a plecibo for the sshd_config.. since the AllowUsers is not actually required as long as there are zero AllowUsers entries in the file.
This related guide explains how to change it:
http://help.directadmin.com/item.php?id=168

John
 
sshd_conf altered by DirectAdmin even in version 1.403

Just now, after a reboot, we could not login into ssh!
The provider of our dedicated servers, peer1/ServerBeach has confirmed they could not log into ssh using their own credentials under user in the "wheel" group!
It took installed Webmin to undo the damage done by DirectAdmin: DirectAdmin has altered the sshd_conf file by inserting AllowUsers: diradmin, effectively eliminating SSH access for even root.

One solution is to use attrib command to set on the immutable bit on ssh_conf file; but that is not the best solution (please see man for Linux attrib).

At a glance, directadmin executable ELF binary deals with it directly. I will post more as soon as I find the solution.

Tom
 
Hello,

It's well documented that if you have a non-root user, you must add it to the sshd_config prior to the DA install.
See step 3 of the install guide.
Please carefully read all installation steps during the install.

As a workaround, if you don't ever want DA to touch the sshd_config anymore, you can edit:
Code:
/usr/local/directadmin/conf/directadmin.conf
and change:
Code:
sshdconfig=/etc/ssh/sshd_config
to some other empty file that you create.
DA will then add/remove AllowUsers entries to the "other" file you create, so it will have no effect on sshd, eg:
Code:
sshdconfig=/etc/ssh/sshd_config.plecibo
Hope this helps.

John
 
Preserving sshd_conf by altering directadmin.conf

John,

Thank you very much, this helps a lot!

The generic installation instructions are for those who want their OS altered irreversibly (smiley). On a more serious note, there's no mechanism to uninstall DirectAdmin.

The license agreement allows to make a back up copy of the OS with DA installed. I have therefore first installed the DA by "conventional" means, made a "dd" copy of the OS, restored the OS into its "pristine" state, and have been installing DA step-by step, manually, as so to preserve bind/exim/dovecot/mysql etc. as installed from the official repositories, yet utilize the DA's MTA management functionality.

We are not hosting resellers; DirectAdmin in our case is a possibly viable solution to manage Exim/Dovecot MTA only.

Sincerely,
Tom
 
The install guide: more complete information on installing DirectAdmin safely

Here's what the install giude says:

**** SPECIAL NOTICE for non-root ssh logins ****

If logging in as a user other than admin or root (using su to gain root access):

You *must* add "AllowUsers username" to /etc/ssh/sshd_config before you log out from root or you'll lose root on the server forever, and you'll have to format.

FALSE.

You won't need to reformat; the easy way around is to install Webmin beforehand; it allows access to editing sshd_conf file and restarting ssh.

Alternatively, boot off in a rescue environment, and edit the sshd_conf to undo the damage.

Hope this helps my brethren who are awaiting for the day when the DirectAdmin setup.sh will have an --uninstall switch implemented. The brightest day will come when the core directadmin will be packaged as an rpm: easy come, easy go.

Tom
 
Back
Top