| Summary: | Confusing openssh-server config files re PAM authentification | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Guillaume Bedot <guillaume.bedot> |
| Component: | RPM Packages | Assignee: | Guillaume Rousse <guillomovitch> |
| Status: | NEW --- | QA Contact: | |
| Severity: | enhancement | ||
| Priority: | Normal | CC: | bruno, davidwhodgins |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | openssh-9.1p1-2.mga9 | CVE: | |
| Status comment: | |||
|
Description
Guillaume Bedot
2023-05-05 21:37:48 CEST
Thank you for the comment. Can you please post the relevant parts of; - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/50-mageia.conf to clarify what you are saying. Assigning this anyway to Guillaume, CC'ing Bruno, for OpenSSH. Assignee:
bugsquad =>
guillomovitch
Lewis Smith
2023-05-06 20:33:21 CEST
Summary:
Confusing config files =>
Confusing OpenSSH config files re PAM authentification Strange, but on an untinkered system both files does not contain any entry regarding PAM. Are you sure that you didn't modify these files yourself?
[cauldron@localhost ssh_config.d]$ cat /etc/ssh/ssh_config.d/50-mageia.conf
# The options here are in the "Match final block" to be applied as the last
# options and could be potentially overwritten by the user configuration
Match final all
# Follow system-wide Crypto Policy, if defined:
Include /etc/crypto-policies/back-ends/openssh.config
ForwardX11 yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Uncomment this if you want to use .local domain
# Host *.local
[cauldron@localhost ssh_config.d]$
[cauldron@localhost ssh]$ cat /etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
#
# This system is following system-wide crypto policy.
# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
# file under /etc/ssh/ssh_config.d/ which will be automatically
# included below. For more information, see manual page for
# update-crypto-policies(8) and ssh_config(5).
Include /etc/ssh/ssh_config.d/*.conf
[cauldron@localhost ssh]$
In /etc/ssh/sshd_config it is written that a config file will modify the system-wide sshd configuration: # To modify the system-wide sshd configuration, create a *.conf file under # /etc/ssh/sshd_config.d/ which will be automatically included below Include /etc/ssh/sshd_config.d/*.conf And /etc/ssh/sshd_config.d/50-mageia.conf contains: UsePAM yes X11Forwarding yes So 50-mageia.conf is a config file which has higher priority than the contents in sshd_config. Source RPM:
openssh-9.1p1-2.mga9 =>
openssh-server-9.1p1-2.mga9
sturmvogel
2023-05-06 21:30:18 CEST
Source RPM:
openssh-server-9.1p1-2.mga9 =>
openssh-9.1p1-2.mga9 Confirmed. Immediately after installing openssh-server ... # grep -r PAM /etc/ssh/* /etc/ssh/sshd_config:# Set this to 'yes' to enable PAM authentication, account processing, /etc/ssh/sshd_config:# and session processing. If this is enabled, PAM authentication will /etc/ssh/sshd_config:# PasswordAuthentication. Depending on your PAM configuration, /etc/ssh/sshd_config:# PAM authentication via KbdInteractiveAuthentication may bypass /etc/ssh/sshd_config:# If you just want the PAM account and session checks to run without /etc/ssh/sshd_config:# PAM authentication, then enable this but set PasswordAuthentication /etc/ssh/sshd_config:#UsePAM no /etc/ssh/sshd_config.d/50-mageia.conf:UsePAM yes Note that in /etc/ssh/sshd_config UsePAM is a comment that is supposed to be showing the default value, so in that aspect, it's correct, but since it's overridden in the config.d file, it's confusing to someone reading it. Summary:
Confusing OpenSSH config files re PAM authentification =>
Confusing openssh-server config files re PAM authentification I'd add a comment to the end of /etc/ssh/sshd_config ... # # See /etc/ssh/sshd_config.d/* for current overrides to the above defaults. # This packaging change was introduced on october 2020, based on a similar change in Fedora. I guess the intent was just to make distribution-specific changes in default configuration files more explicit, with yet another override scheme. I'm not convinced of the interest, but I'm even more reluctant to change it now. Given there is already a comment at the beginning of the config file, I doubt adding another at the end of the file would really help. What would help, tough, would be to get rid of the current comment (how one should manage its configuration is his business, after all), and instead document counter-intuitive ssh configuration processing behaviour (first found wins), as explained in sshd_config(5) man page: For each keyword, the first obtained value will be used. 1. To be honest, i was either playing lazy, or being tired and missed this line (or thought that was only for user supplied settings) Include /etc/ssh/sshd_config.d/*.conf One thing could be to a comment before this line, to make the user check what's inside the folder 2. The multi-line comment about the UsePAM / KeyboardInteractive could be clearer. i think i just didn't read it at the time anyway because it was too long. Sorry for the noise, it's just my use case, and me being in a hurry or drunk or whatever. It's not an emergency matter. Just changing the comments to be clearer could be far enough it's not so confusing using systemd-analyse, options arez shown in the right order systemd-analyze cat-config ssh/sshd_config |