sshd_config changes not taking effect

Issues related to applications and software problems and general support
Post Reply
hasdoe
Posts: 3
Joined: 2023/02/08 18:08:38

sshd_config changes not taking effect

Post by hasdoe » 2023/02/08 18:52:24

Hi,

sshd_config changes not taking effect. Im using centos 9 stream. If I disable root, I can still login as root.

[root@jt-server ssh]# sshd -T
port 22
addressfamily any
listenaddress [::]:22
listenaddress 0.0.0.0:22
usepam yes
logingracetime 120
x11displayoffset 10
x11maxdisplays 1000
maxauthtries 6
maxsessions 10
clientaliveinterval 601
clientalivecountmax 0
requiredrsasize 2048
streamlocalbindmask 0177
permitrootlogin yes
ignorerhosts yes
ignoreuserknownhosts no
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
pubkeyauthentication yes
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
kerberosuniqueccache no
kerberosusekuserok yes
gssapienablek5users no
gssapiauthentication yes
gssapicleanupcredentials no
gssapikeyexchange no
gssapistrictacceptorcheck yes
gssapistorecredentialsonrekey no
gssapikexalgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
passwordauthentication yes
kbdinteractiveauthentication no
printmotd no
printlastlog yes
x11forwarding yes
x11uselocalhost yes
permittty yes
permituserrc yes
strictmodes yes
tcpkeepalive yes
permitemptypasswords no
compression yes
gatewayports no
usedns no
allowtcpforwarding yes
allowagentforwarding yes
disableforwarding no
allowstreamlocalforwarding yes
streamlocalbindunlink no
fingerprinthash SHA256
exposeauthinfo no
pidfile /var/run/sshd.pid
modulifile /etc/ssh/moduli
xauthlocation /usr/bin/xauth
ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
macs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
banner none
forcecommand none
chrootdirectory none
trustedusercakeys none
revokedkeys none
securitykeyprovider internal
authorizedprincipalsfile none
versionaddendum none
authorizedkeyscommand none
authorizedkeyscommanduser none
authorizedprincipalscommand none
authorizedprincipalscommanduser none
hostkeyagent none
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
casignaturealgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
hostbasedacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostkeyalgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
pubkeyacceptedalgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
loglevel INFO
syslogfacility AUTHPRIV
authorizedkeysfile .ssh/authorized_keys
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
allowusers hassam
authenticationmethods any
subsystem sftp /usr/libexec/openssh/sftp-server
maxstartups 10:30:100
persourcemaxstartups none
persourcenetblocksize 32:128
permittunnel no
ipqos af21 cs1
rekeylimit 0 0
permitopen any
permitlisten any
permituserenvironment no
pubkeyauthoptions none
[root@jenkins-server ssh]#

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: sshd_config changes not taking effect

Post by TrevorH » 2023/02/08 19:27:58

If I disable root, I can still login as root.
and yet your config file says

Code: Select all

 permitrootlogin yes
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: sshd_config changes not taking effect

Post by jlehtone » 2023/02/08 22:56:41

hasdoe wrote:
2023/02/08 18:52:24
sshd_config changes not taking effect.
Do not edit the /etc/ssh/sshd_config.
Look at the conf-files in /etc/ssh/sshd_config.d/

Those files are read in lexicographical order before /etc/ssh/sshd_config
and sshd does use first occurrences for values.
Therefore, to override PermitRootLogin, set it in for example /etc/ssh/sshd_config.d/00-my.conf

Did you select "Allow root log in with password" in the installer?
If yes, that did add a file in that directory that contains PermitRootLogin yes.
That file does not belong to any RPM package and overrides the default (PermitRootLogin prohibit-password).

hasdoe
Posts: 3
Joined: 2023/02/08 18:08:38

Re: sshd_config changes not taking effect

Post by hasdoe » 2023/02/09 00:43:47

TrevorH wrote:
2023/02/08 19:27:58
If I disable root, I can still login as root.
and yet your config file says

Code: Select all

 permitrootlogin yes
I changed it back to yes before pasting the file here.

hasdoe
Posts: 3
Joined: 2023/02/08 18:08:38

Re: sshd_config changes not taking effect

Post by hasdoe » 2023/02/09 00:45:01

jlehtone wrote:
2023/02/08 22:56:41
hasdoe wrote:
2023/02/08 18:52:24
sshd_config changes not taking effect.
Do not edit the /etc/ssh/sshd_config.
Look at the conf-files in /etc/ssh/sshd_config.d/

Those files are read in lexicographical order before /etc/ssh/sshd_config
and sshd does use first occurrences for values.
Therefore, to override PermitRootLogin, set it in for example /etc/ssh/sshd_config.d/00-my.conf

Did you select "Allow root log in with password" in the installer?
If yes, that did add a file in that directory that contains PermitRootLogin yes.
That file does not belong to any RPM package and overrides the default (PermitRootLogin prohibit-password).
What about other changes I make to the /etc/ssh/sshd_config file that aren't being applied? Like allowing users.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: sshd_config changes not taking effect

Post by jlehtone » 2023/02/09 15:49:29

hasdoe wrote:
2023/02/09 00:45:01
What about other changes I make to the /etc/ssh/sshd_config file that aren't being applied? Like allowing users.
I already said that don't make changes to /etc/ssh/sshd_config. Add them to separate file(s).
The reason is that the /etc/ssh/sshd_config is supplied by RPM package and update of the package may change that file.
If your changes are in the file, then merge of two sets of changes (yours and package update) is not trivial.
Furthermore, it is way easier to see what customizations you have made when they are in separate file.


The config that you did show has "allow users". That is not from defaults, so some of your changes have been applied.
You have to show the content of config files that is not applied.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: sshd_config changes not taking effect

Post by TrevorH » 2023/02/09 16:28:50

The reason is that the /etc/ssh/sshd_config is supplied by RPM package and update of the package may change that file.
It is marked as a config file in the rpm spec so should be safe but using separate files is a better way to do it in any case.

[root@rhel9 ~]# rpm -qc openssh-server
/etc/pam.d/sshd
/etc/ssh/sshd_config
/etc/ssh/sshd_config.d/50-redhat.conf
/etc/sysconfig/sshd
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: sshd_config changes not taking effect

Post by jlehtone » 2023/02/10 08:33:36

True. RPM does handle config files neatly.

Besides, whether one has local customizations in same or separate file does not make a difference to the need to verify that the customizations remain appropriate after each update. (RHEL tries to avoid drastic changes within life cycle of a major version.)

RHEL 9 is the first RHEL with /etc/ssh/sshd_config.d/. RHEL 8 had already /etc/ssh/ssh_config.d/.


Off-topic: We don't usually point out the "short" lifetime of CentOS Stream versions; they are bound to the full support phase of the RHEL -- about half of RHEL life cycle.

Post Reply