sshd overrides from /etc/ssh/sshd_config.d/*conf apply in reverse lexographic order
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I am looking at the addition of 'Include /etc/ssh/
Steps to reproduce on focal with openssh-server 1:8.2p1-4:
1. Create the following files in /etc/ssh/
40-cloudimg-
ClientAliveIn
PasswordAuthe
PermitRootLogin no
50-cloudimg-
ClientAliveIn
PermitRootLogin yes
60-cloudimg-
ClientAliveIn
2. Check what sshd thinks the values will be with 'sshd -T|grep -i clientaliveinte
clientaliveinterval 110
permitrootlogin no
(The tuning I cared about was ClientAliveInterval for my work but PermitRootLogin is easier to demonstrate)
3. Run '/usr/sbin/sshd -ddd' to check debug output for config file parsing behavior:
debug2: load_server_config: filename /etc/ssh/
debug2: load_server_config: done config len = 296
debug2: parse_server_
debug2: /etc/ssh/
debug2: /etc/ssh/
debug2: load_server_config: filename /etc/ssh/
debug2: load_server_config: done config len = 71
debug2: parse_server_
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug2: /etc/ssh/
debug2: load_server_config: filename /etc/ssh/
debug2: load_server_config: done config len = 46
debug2: parse_server_
debug3: /etc/ssh/
debug3: /etc/ssh/
debug2: /etc/ssh/
debug2: load_server_config: filename /etc/ssh/
debug2: load_server_config: done config len = 25
debug2: parse_server_
debug3: /etc/ssh/
4. Set a root password and unlock the account.
5. Attempt to ssh as root to the instance with a password.
Observation:
* Root password login is denied if PermitRootLogin is 'no' in 40-foo.conf and 'yes' in 50-foo.conf
* Root password login is allowed if PermitRootLogin is 'yes' in 40-foo.conf and 'no' in 50-foo.conf
It appears in 'sshd -ddd' output that files are parsed in lexographic order (40-foo.conf before 50-foo.conf) but the behavior observed indicates that the value set in 40-foo.conf overrides 50-foo.conf which is counter to expectations.
Changed in openssh (Ubuntu): | |
status: | New → Confirmed |
tags: | added: id-5e8f290ae612a06a768e6d7b |
This is intentional and documented on the part of upstream, and this behaviour is why I include sshd_config.d at the start of sshd_config rather than the end. Yes, it's arguably counter-intuitive; no, there isn't much I can do about it. sshd_config(5) says in the first paragraph of its description:
"For each keyword, the first obtained value will be used."