invirt replaces sshd_config, locks everyone out of system
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Invirt Project |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
New invirt install. Invirt replaces sshd_config with a symlink to a new sshd_config file. In my / ismith case, this caused us to be locked out of the system. I think this would also prevent inclusion into debian. IMHO should just doc what changes are needed (and why) to a README.Debian file.
These are the differences between the working file and the file invirt installed.
root@bogomips:
--- sshd_config.
+++ sshd_config.invirt 2010-01-27 22:23:52.000000000 -0500
@@ -26 +26 @@
-PermitRootLogin without-password
+PermitRootLogin yes
@@ -32 +31,0 @@
-AuthorizedKeysFile /var/lib/
@@ -48 +47 @@
-ChallengeRespo
+ChallengeRespo
@@ -60,2 +59,4 @@
-#GSSAPIAuthent
-#GSSAPICleanup
+GSSAPIAuthenti
+GSSAPIKeyExchange yes
+GSSAPIStrictAc
+GSSAPICleanupC
The major change that prevented all logins on the system is the loss of the line:
-AuthorizedKeysFile /var/lib/
I'm guessing that what invirt cares about is just the "GSSAPI" lines, so perhaps some sed or something could be used (but user should be prompted via IMHO).
Changed in invirt: | |
status: | New → Won't Fix |
Ouch, sorry about that. Unfortunately, there isn't really a good way to do better than this. Your easiest solution is probably not to use the invirt-ssh-config package on your Invirt hosts; alternatively you could post-process the ssd_config in your install script.
If you look at the source of invirt-ssh-config, you'll see that we do in fact use sed to change only the lines we care about -- but we do this at build time, from the pristine upstream configuration file. It'd be a little worrying to try to write a sed script to work on the existing sshd_config on the system. That file could be in an arbitrary state, so it might be difficult or impossible to confirm that the output of the script was always a reasonable config file.
You probably saw this, but for readers of the bug thread: invirt-ssh-config leaves the original sshd_config present on the system, as /etc/ssh/ sshd_config. invirt- orig. That file is restored as /etc/ssh/ sshd_config if invirt-ssh-config is uninstalled.