ssh config corrupt

W

WilcoOnline

Verified User
Joined
Oct 10, 2003
Messages
39
Hi There,

Got some heavy problem.
1 of our webservers got a corrupted ssh config file and ssh is stopped.

Got anybody a soluction to repair this file from the admin?
 
ssh_config or sshd_config?

Here's what ssh_config should look like:
Code: 
#       $OpenBSD: ssh_config,v 1.12 2002/01/16 17:55:33 stevesk Exp $

# This is the ssh client system-wide configuration file.  See ssh(1)
# for more information.  This file provides defaults for users, and
# the values can be changed in per-user configuration files or on the
# command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsAuthentication yes
#   RhostsRSAAuthentication yes
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   FallBackToRsh no
#   UseRsh no
#   BatchMode no
#   CheckHostIP yes
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
Host *
        ForwardX11 yes
And here's what sshd_config should look like:
Code: 
#       $OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $

# This is the sshd server system-wide configuration file.  See sshd(8)
# for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
# KerberosAuthentication automatically enabled if keyfile exists
#KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# AFSTokenPassing automatically enabled if k_hasafs() is true
#AFSTokenPassing yes

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server
AllowUsers root
AllowUsers admin
Note that the sshd_config file may need additional AllowUsers lines.

Both these files belong in the /etc/ssh directory (on Linux, anyway) and should be chmod 644, owned by root:root.

Note that this is my recreation (to the best of my ability) of standard config files; you'll probably want to tighten up your sshd config; search these forums.

Jeff
 
You'll have to contact your datacenter and get someone to do it locally.

If you still have access to DirectAdmin, this would have been a perfect scenario for the emergency access plugin I was/am thinking about.
 
jmstacey said:
You'll have to contact your datacenter and get someone to do it locally.

If you still have access to DirectAdmin, this would have been a perfect scenario for the emergency access plugin I was/am thinking about.
Click to expand...


I got still acces to the Admin of Direct Admin. Can you send me that plugin?
 
Unfortunately I never made it, just an idea. I put it on the backburner since there didn't seem much interest.

I might be able to whip something up for you later this evening however I would suggest seeing what your DC could do first. But if you're still desperate drop me a line (PM or [email protected])

Edit: Stupid your, you're. grammer grammer
 
Last edited:
jmstacey said:
Unfortunately I never made it, just an idea. I put it on the backburner since there didn't seem much interest.

I might be able to whip something up for you later this evening however I would suggest seeing what your DC could do first. But if your still desperate drop me a line (PM or [email protected])
Click to expand...

The person's on the datacenter cannot get a monitor on the server. I given no screen. Only option is a reboot think

Only that's not a option because many site's running on the server and uptime is more then 300 day's i don't think server is booting up again.

At the moment we are tranfering al site's to the new servers only with no ssh is that a problem.
 
You've shown us a very good reason why we should always run telnet, on a non-standard port, and only open to our own static IP#.

Jeff
 
And either our own staff physically in the DC or the DC's own staff that actually know what their doing...
 
KVM and personal of datacenter is not a option.

All of our server hang in our own datacenter, only not this one.

Nobody have a soluction? Pluging or hidden directadmin api command voor reset the config file to default?
 
KVM and personal of datacenter is not a option.
Click to expand...
Your telling me the DC staff won't help either...?

All of our server hang in our own datacenter, only not this one.
Click to expand...
that's rather suspicious...

Nobody have a soluction? Pluging or hidden directadmin api command voor reset the config file to default?
Click to expand...
None at the moment. I can always do a custom job for you through the plugin system, but I thought you were moving to a new server?
 
Should I deny admin user from SSH? :

Code: 
# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server
AllowUsers [B]admin[/B]
 
/etc/ssh/sshd_config is in file editor on admin section.

If is the corrupted file you should be able to edit it directly from DirectAdmin.

Regards
 
if root is denied ssh login (Default on some OS) then one non root user will need access to ssh.
 
Well he had

#PermitRootLogin yes

So root cant connect using ssh, and had AllowUsers admin enabled so admin user can login to ssh, i dont see any wrong on it.

Regards
 
Thanks but I don't mean root user.
I want to know if I delete this line "AllowUsers admin" will have any problem on DA? because this is admin user of DA, and I guess DA use this for update or something like this.
 
Last edited:
You must log in or register to reply here.
Back
Top