29810 – msec doesn't respect the structure of sshd_config

Bug 29810 - msec doesn't respect the structure of sshd_config

Summary: msec doesn't respect the structure of sshd_config

Status:	NEW

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Mageia tools maintainers
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-12-24 12:15 CET by Dieter Schütze
Modified:	2022-04-19 07:39 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	msec-2.9-1.1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dieter Schütze 2021-12-24 12:15:17 CET

Description of problem:
msec wrote changes at the end of /etc/ssh/sshd_config and not in a file under /etc/ssh/sshd_config.d/

The instruction in the sshd_config is clear
-----------------------------------------------
# To modify the system-wide sshd configuration, create a  *.conf  file under
#  /etc/ssh/sshd_config.d/  which will be automatically included below
Include /etc/ssh/sshd_config.d/*.conf
 -----------------------------------------------

Version-Release number of selected component (if applicable):
msec-2.9-1.1.mga8

How reproducible:


Steps to Reproduce:
1. With an untouched configuration of sshd. Change the entry of ALLOW_REMOTE_ROOT_LOGIN= in /etc/security/msec/level.standard to ALLOW_REMOTE_ROOT_LOGIN=without-password (or newer prohibit-password)
2. run msec
3. look in /etc/ssh/sshd_config at the end of the file there is the changed entry of msec an not in a file under /etc/ssh/sshd_config.d/

Comment 1 Lewis Smith 2021-12-26 21:16:11 CET

Thank you for this report.
FWIW My own system, which does not use msec:
$ tree /etc/ssh/
/etc/ssh/
├── ssh_config
└── ssh_config.d
    └── 50-mageia.conf

Perhaps you could post your equivalent.

'msec' has no registered maintainer, and is done by various people, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Dieter Schütze 2021-12-26 22:16:46 CET

(In reply to Lewis Smith from comment #1)
> Thank you for this report.
> FWIW My own system, which does not use msec:
> $ tree /etc/ssh/
> /etc/ssh/
> ├── ssh_config
> └── ssh_config.d
>     └── 50-mageia.conf
> 
> Perhaps you could post your equivalent.

first of all, I haven't written anything of ssh_config (the client config)
I wrote of the sshd_config (openssh-server).

And why don't msec use the 50-mageia.conf under /etc/ssh/sshd_config.d/ ?
Or make a xx-msec.conf
There are many ways.
I have my own 90-somename.conf and disabled the msec entries for sshd.
So that they no longer write in the original sshd_config until there is a solution.

Comment 3 papoteur 2022-04-19 07:39:08 CEST

Hello Dieter,I can have a look
The rule to modify under /etc/ssh/sshd_config.d/ is not an absolute rule as it is written by Mageia packagers.
Thus I don't think it a problem. I wouldn't change that.
What is pertinent is the replacement of without-password by prohibit-password.
The option is configuration file is PermitRootLogin and can take these values: yes,no, prohibit-password, forced-commands-only
The last one isn't provided by msec and I wonder if this is of interest.
I add Guillomovitch to the report as he often maintain openssh.

CC: (none) => guillomovitch, yves.brungard_mageia

papoteur 2022-04-19 07:39:45 CEST

Assignee: pkg-bugs => mageiatools

Note You need to log in before you can comment on or make changes to this bug.