[OpenIndiana-discuss] Heads up OpenSSH config change

Marcel Telka marcel at telka.sk
Wed Oct 16 10:05:37 UTC 2024 

On Wed, Oct 16, 2024 at 11:35:20AM +0200, Stephan Althaus wrote:
> On 10/15/24 10:29, Till Wegmüller wrote:
> > The reason for this config change is, that we had a differing behaviour
> > on our OS for how ListenAdress works compared to what you find on the
> > internet. We do not know what introduced this behaviour in the past but
> > it seems to have been fixed upstream. We thus make sure OpenSSH behaves
> > as people expect it to when changing the config.
> 
> There is more to check with the config, just in case someone stumbles...
> 
> 
> [ Oct 16 11:29:35 Executing start method ("/lib/svc/method/sshd start"). ]
> /etc/ssh/sshd_config line 85: Deprecated option ServerKeyBits
> /etc/ssh/sshd_config line 90: Deprecated option KeyRegenerationInterval
> /etc/ssh/sshd_config: line 103: Bad configuration option: MaxAuthTriesLog
> /etc/ssh/sshd_config line 132: Deprecated option RhostsAuthentication
> /etc/ssh/sshd_config line 138: Deprecated option RhostsRSAAuthentication
> /etc/ssh/sshd_config line 145: Deprecated option RSAAuthentication
> /etc/ssh/sshd_config: terminating, 1 bad configuration options
> 
> after commenting them out with a # in front, the ssh service is running.

This happens when you:
1) installed openssh long time ago, and
2) edited /etc/ssh/sshd_config.

Both is common, and #2 is unfortunate.  It basically causes that people
usually run sshd with outdated configuration.  Most distributions
already noticed it and solved it, for example Rocky Linux 9 does this:

$ grep -i include /etc/ssh/sshd_config
#  /etc/ssh/sshd_config.d/  which will be automatically included below
Include /etc/ssh/sshd_config.d/*.conf
$


This is also the case with our HPN-SSH:

$ grep -i include /etc/hpnssh/sshd_config
# Include configuration snippets with sshd_config customizations.
Include /etc/hpnssh/sshd_config.d/*.conf
$

The HPN-SSH is (almost) a drop-in replacement for OpenSSH.  It is
actually a patched OpenSSH to get few performance improvements.  The
main visible difference is that it by default listens on port 2222
instead of 22.

I run it as a primary productive sshd on hundreds of machines and as a
backup sshd on few other so in a case the primary (open)sshd fails I'm
still able to login remotely.

Please note that it is strongly discouraged to manually edit
/etc/hpnssh/ssh_config and /etc/hpnssh/sshd_config files.  All changes
there will be lost on the next update (this is by design).  The
configuration changes are done via config snippets in
/etc/hpnssh/ssh_config.d and /etc/hpnssh/sshd_config.d respectively.


Regards.

-- 
+-------------------------------------------+
| Marcel Telka   e-mail:   marcel at telka.sk  |
|                homepage: http://telka.sk/ |
+-------------------------------------------+

More information about the openindiana-discuss mailing list