Bug 29810

Summary: msec doesn't respect the structure of sshd_config
Product: Mageia Reporter: Dieter Schütze <dieter>
Component: RPM PackagesAssignee: Mageia tools maintainers <mageiatools>
Status: NEW --- QA Contact:
Severity: normal    
Priority: Normal CC: guillomovitch, yvesbrungard
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: msec-2.9-1.1.mga8.src.rpm CVE:
Status comment:

Description Dieter Schütze 2021-12-24 12:15:17 CET 
Description of problem:
msec wrote changes at the end of /etc/ssh/sshd_config and not in a file under /etc/ssh/sshd_config.d/

The instruction in the sshd_config is clear
-----------------------------------------------
# To modify the system-wide sshd configuration, create a  *.conf  file under
#  /etc/ssh/sshd_config.d/  which will be automatically included below
Include /etc/ssh/sshd_config.d/*.conf
 -----------------------------------------------

Version-Release number of selected component (if applicable):
msec-2.9-1.1.mga8

How reproducible:


Steps to Reproduce:
1. With an untouched configuration of sshd. Change the entry of ALLOW_REMOTE_ROOT_LOGIN= in /etc/security/msec/level.standard to ALLOW_REMOTE_ROOT_LOGIN=without-password (or newer prohibit-password)
2. run msec
3. look in /etc/ssh/sshd_config at the end of the file there is the changed entry of msec an not in a file under /etc/ssh/sshd_config.d/
Comment 1 Lewis Smith 2021-12-26 21:16:11 CET 
Thank you for this report.
FWIW My own system, which does not use msec:
$ tree /etc/ssh/
/etc/ssh/
├── ssh_config
└── ssh_config.d
    └── 50-mageia.conf

Perhaps you could post your equivalent.

'msec' has no registered maintainer, and is done by various people, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Dieter Schütze 2021-12-26 22:16:46 CET 
(In reply to Lewis Smith from comment #1)
> Thank you for this report.
> FWIW My own system, which does not use msec:
> $ tree /etc/ssh/
> /etc/ssh/
> ├── ssh_config
> └── ssh_config.d
>     └── 50-mageia.conf
> 
> Perhaps you could post your equivalent.

first of all, I haven't written anything of ssh_config (the client config)
I wrote of the sshd_config (openssh-server).

And why don't msec use the 50-mageia.conf under /etc/ssh/sshd_config.d/ ?
Or make a xx-msec.conf
There are many ways.
I have my own 90-somename.conf and disabled the msec entries for sshd.
So that they no longer write in the original sshd_config until there is a solution.
Comment 3 papoteur 2022-04-19 07:39:08 CEST 
Hello Dieter,I can have a look
The rule to modify under /etc/ssh/sshd_config.d/ is not an absolute rule as it is written by Mageia packagers.
Thus I don't think it a problem. I wouldn't change that.
What is pertinent is the replacement of without-password by prohibit-password.
The option is configuration file is PermitRootLogin and can take these values: yes,no, prohibit-password, forced-commands-only
The last one isn't provided by msec and I wonder if this is of interest.
I add Guillomovitch to the report as he often maintain openssh.

CC: (none) => guillomovitch, yves.brungard_mageia

papoteur 2022-04-19 07:39:45 CEST

Assignee: pkg-bugs => mageiatools