Bug #26499
open
Standard Rudder technique “SSH server (OpenSSH)” breaks SSH server if Match blocks exists in sshd_config
Description
sshd_config can end with Match blocks such as :
# Additional Match Blocks
Match User john,susie,jane,tom
AllowTcpForwarding no
X11Forwarding no
PermitTTY yes
Such blocks do not “end” unless another such block begins.
Rudder standard technique “SSH server (OpenSSH)” appends defined global parameters at the end of the sshd_config file.
This causes the sshd daemon to fail restarting, as it considers this global parameters to be part of the previous “Match” block, which make the configuration invalid.
Updated by Michel BOUISSOU 16 days ago
By the way this is contrary to “man sshd_config(5)” that states that global parameters after match blocks should make the server consider that the block ended.
But it doesn't work and practically speaking in such cases, th sshd daemon just fails starting.
Updated by Nicolas CHARLES 9 days ago
- Assignee set to Elaad FURREEDAN
This ticket is tricky to fix as it would need a total rewrite of the technique to fix this problem
This might be fixable with Augeas module.
As a workaround we may document that we don't support Match User at the end of the file ?
Updated by Nicolas CHARLES 9 days ago
- Priority changed from To review to 1 (highest)
- Effort required set to Very Small
Updated by Elaad FURREEDAN 9 days ago
- Status changed from In progress to Pending technical review
- Assignee changed from Elaad FURREEDAN to Nicolas CHARLES
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1870
Updated by Anonymous 8 days ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-techniques|3815d5aa13d6bc0848f4df8e8faec4a90899d829.