sshd_config: Match user conflicts with AllowUsers

[Jan_E]

In the standard DA setup new SSH-users are appended to the end of /etc/ssh/sshd_config. However if you want to use Match User, this directive also has to be at the end of sshd_config. I wanted to grant Password Authentication to only a few users:

PasswordAuthentication no
Match User newuser99
    PasswordAuthentication yes

I can add this to the end of sshd_config, restart sshd and it seems OK.

But when you add a new user with SSH access, sshd does not restart. Error message:

[root@vps2 ~]# service sshd restart && service sshd status
Stopping sshd:                                             [OK]
Starting sshd: /etc/ssh/sshd_config line 158: Directive 'AllowUsers' is not allowed within a Match block

The only way to prevent this seems to be to change

sshdconfig=/etc/ssh/sshd_config

in directadmin.conf into

sshdconfig=/etc/ssh/sshd_config.placebo

so Directadmin will not generate a sshd_config with errors in it.

The big disadvantage: you cannot use the DA interface anymore to manage SSH access. Can this be changed?

 

[sysdev]

You can use the user_modify_post script in /usr/local/directadmin/scripts/custom to 'fix' it.

Use something like:

file: user_modify_post.sh

#!/bin/sh

if [ "${ssh}" = "ON" ]; then
/bin/sed "/Match/,/AllowUsers ${username}/{/AllowUsers ${username}/{G;b};/Match/{h;d};H;d}" /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp
mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config
service sshd restart
fi

Maybe you need to tune it a little bit for your specific environment (think chmodding the new file etc) but this wil delete the 'AllowUsers <username>' and reinsert it before the 'Match' line. Then restart the sshd daemon.

Hope it helps.

 

[Jan_E]

Something similar was suggested here:
https://forum.directadmin.com/showthread.php?t=27024&p=135912#post135912

I really hesitate to do that. If this fails for one or other reason, the ssh-daemon will fail to start and I will be locked out of the system. The Directadmin binary will never be locked out, because it is running on that system. DA has the means to rewrite the sshd_config, check if the sshd restarts and put the old config back in case sshd does noet restart. I would rather not script this myself.

 

[zEitEr]

If this fails for one or other reason, the ssh-daemon will fail to start and I will be locked out of the system.

There always a chance to rewrite/modify/recover /etc/ssh/sshd_config via Directadmin file editor.

 

[Jan_E]

There always a chance to rewrite/modify/recover /etc/ssh/sshd_config via Directadmin file editor.

How? AFAIK, the file editor cannot reach files outside /HOME.

 

[Jan_E]

OK, got it. Do not use the Files button on top, but use the menu item for the admin. Thanks for the tip.

 

[zEitEr]

Yes, it is:

Admin level in Directadmin -> "File Editor" under section "Admin tools" -> Select a file to edit "/etc/ssh/sshd_config"

You will need to unlock the file with root's password.

See "This file is tagged as secure. Root password required to edit"


"Service Monitor" at admin level can be used to restart SSHd.

 

[gait]

I think your best bet is to put this on the last two lines of /etc/ssh/sshd_config:

Match All
AllowUsers DoesNotHaveToExist

This ends the previous Match block and allows DirectAdmin to (stupidly!) append new AllowUsers lines to the end of the file,
in stead of appending it to (an) existing AllowUsers line.

 

[Jan_E]

Hmmm. Intriguing solution. Thanks.

 

[gait]

I discovered the system on hand uses an older OpenSSH which does not support

Match All

but hey, it *does* support

Match

YMMV