sshd_config: Match user conflicts with AllowUsers

Jan_E

Verified User
Joined
Apr 29, 2011
Messages
130
Location
Amsterdam, NL, EU
In the standard DA setup new SSH-users are appended to the end of /etc/ssh/sshd_config. However if you want to use Match User, this directive also has to be at the end of sshd_config. I wanted to grant Password Authentication to only a few users:
Code:
PasswordAuthentication no
Match User newuser99
    PasswordAuthentication yes
I can add this to the end of sshd_config, restart sshd and it seems OK.

But when you add a new user with SSH access, sshd does not restart. Error message:
Code:
[root@vps2 ~]# service sshd restart && service sshd status
Stopping sshd:                                             [OK]
Starting sshd: /etc/ssh/sshd_config line 158: Directive 'AllowUsers' is not allowed within a Match block
The only way to prevent this seems to be to change
Code:
sshdconfig=/etc/ssh/sshd_config
in directadmin.conf into
Code:
sshdconfig=/etc/ssh/sshd_config.placebo
so Directadmin will not generate a sshd_config with errors in it.

The big disadvantage: you cannot use the DA interface anymore to manage SSH access. Can this be changed?
 

sysdev

Verified User
Joined
Jul 16, 2007
Messages
205
You can use the user_modify_post script in /usr/local/directadmin/scripts/custom to 'fix' it.

Use something like:

file: user_modify_post.sh

#!/bin/sh

if [ "${ssh}" = "ON" ]; then
/bin/sed "/Match/,/AllowUsers ${username}/{/AllowUsers ${username}/{G;b};/Match/{h;d};H;d}" /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp
mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config
service sshd restart
fi

Maybe you need to tune it a little bit for your specific environment (think chmodding the new file etc) but this wil delete the 'AllowUsers <username>' and reinsert it before the 'Match' line. Then restart the sshd daemon.

Hope it helps.
 

Jan_E

Verified User
Joined
Apr 29, 2011
Messages
130
Location
Amsterdam, NL, EU
Something similar was suggested here:
https://forum.directadmin.com/showthread.php?t=27024&p=135912#post135912

I really hesitate to do that. If this fails for one or other reason, the ssh-daemon will fail to start and I will be locked out of the system. The Directadmin binary will never be locked out, because it is running on that system. DA has the means to rewrite the sshd_config, check if the sshd restarts and put the old config back in case sshd does noet restart. I would rather not script this myself.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
If this fails for one or other reason, the ssh-daemon will fail to start and I will be locked out of the system.
There always a chance to rewrite/modify/recover /etc/ssh/sshd_config via Directadmin file editor.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Yes, it is:

Admin level in Directadmin -> "File Editor" under section "Admin tools" -> Select a file to edit "/etc/ssh/sshd_config"

You will need to unlock the file with root's password.

See "This file is tagged as secure. Root password required to edit"


"Service Monitor" at admin level can be used to restart SSHd.
 

gait

New member
Joined
Jan 24, 2017
Messages
2
I think your best bet is to put this on the last two lines of /etc/ssh/sshd_config:

Match All
AllowUsers DoesNotHaveToExist

This ends the previous Match block and allows DirectAdmin to (stupidly!) append new AllowUsers lines to the end of the file,
in stead of appending it to (an) existing AllowUsers line.
 

gait

New member
Joined
Jan 24, 2017
Messages
2
I discovered the system on hand uses an older OpenSSH which does not support

Match All

but hey, it *does* support

Match

YMMV
 
Top