BUG: sshd_config

[OhReally]

When I enable ssh access for a user, an 'AllowUsers' line is appended to sshd_config. This breaks my sshd configuration, because the last part of sshd_config is reserved for 'Match' sections, so the AllowUsers line should be inserted before the first line that starts with 'Match', if any; 'Match' sections continue to the next 'Match' section or the end of the file.

See `man sshd_config' for more info.

 

[nobaloney]

What OS are you using? I just cheked man sshd_config for both Mandriva (our desktop systems), CentOS4 (our older servers), and CentOS5 (our newer servers) and none of them have a Match section that needs to go after AllowUsers.

Jeff

 

[OhReally]

FreeBSD

Hi Jeff,

I'm using FreeBSD.
The man page.

Cheers,
Rob


Edit:
'Match' was added to sshd_config in revision 1.60 on July 12th, 2006: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5

Edit2:
The man page on my Mandriva system (Mandriva 2008.1 Official / OpenSSH-server 5.0p1) also mentions the 'Match' section.

 

[nobaloney]

If you don't need the Match section you can probably remove it. If you do need it, then I'd say write to DirectAdmin support about the issue.

I'm NOT a FreeBSD person; maybe someone else will be able to help here.

Jeff

 

[OhReally]

Well, since this is the Feedback forum at DirectAdmin.com, I'm going to assume support is reading along and will fix this.

Thanks.

 

[nobaloney]

When you assume you make an a?? out of u and me .

The forums are NOT an official support venue, and this isn't a feature request.

I strongly suggest you write to DirectAdmin support if you need them.

Jeff

 

[DirectAdmin Support]

Hello,

This would be your best bet to create a plecibo for DA to use.
http://help.directadmin.com/item.php?id=168

If there are *no* AllowUsers entries, then all will be able to use ssh if they have a shell. Note that DA only gives shells to valid ssh users, so you'll still be ok... old non-ssh users will not get ssh access all of a sudden (unless they have a shell, but DA wouldn't have given them one)

John

 

[OhReally]

Hi John,

I don't mean to be rude, but... did you actually read what I wrote?

My problem is not that there are too many AllowUsers lines in sshd_config. And my problem is not solved by completely removing the AllowUsers lines. I do want to use AllowUsers; security is a big issue for me.

My problem is that the way DirectAdmin adds AllowUsers lines to sshd_config breaks my config. And the way DirectAdmin adds AllowUsers lines to sshd_config conflicts with the man page. And the man page comes with the app, so the man page is right...

All that needs to be done is get the first and third post in this thread (my first 2 posts) to the development team, and they will have this fixed in 5 minutes.

Thank you,
Rob

 

[DirectAdmin Support]

Yes, the guide would work if it doesn't add the AllowUsers at all, which would allow your Match to happen at the bottom, but it won't work if you do still require the AllowUsers.

The only way to do what you're looking for then would be via the:
/usr/local/directadmin/scripts/custom/user_create_post.sh
/usr/local/directadmin/scripts/custom/user_modify_post.sh
script which would have to be created.
In them you'd do a check for ssh=ON.. I guess don't really have to check, then edit the sshd_config as required.

We have not yet looked at adding the Match function. (IE: we don't support all of the features in all of services)

John

 

[rtaylor]

I don't mean to be rude, but...

Nice try.

 

[Jan_E]

@OhReally did you ever contact support? If so, what was the answer?

I just stumbled into the same thing before I found this thread:
https://forum.directadmin.com/showthread.php?t=51787

Selectively disabling password authentication is becoming more important then ever:
https://kingcope.wordpress.com/2015...rute-force-vulnerability-maxauthtries-bypass/