#2362 Issue `closed`: Match section at the end of sshd_config prevents SSH root login¶

Labels: enhancement, bug, fixed / solved / done

OliverO2 opened issue at 2020-04-14 13:53:¶

ReaR version: Relax-and-Recover 2.5 / Git
System architecture: x86
Description of the issue:

If etc/ssh/sshd_config contains a Match section which is effective at the end of the file, patching will generate wrong results: E.g., skel/default/etc/scripts/run-sshd will append PermitRootLogin yes expecting it to be effective as a global setting. A Match section at EOF will render this ineffective, preventing an SSH root login on the rescue system.

Example:¶

Before patching by run-sshd:

[...]
Match User anoncvs
    PasswordAuthentication no
    X11Forwarding no
    AllowTcpForwarding no
    PermitTTY no
    ForceCommand cvs server

After patching by run-sshd:

[...]
Match User anoncvs
    PasswordAuthentication no
    X11Forwarding no
    AllowTcpForwarding no
    PermitTTY no
    ForceCommand cvs server
PermitRootLogin yes
ClientAliveInterval 0

In the latter case, PermitRootLogin yes and ClientAliveInterval 0 will only be effective if the user is anoncvs (which will never be the case on the rescue system).

jsmeix commented at 2020-04-15 08:39:¶

@OliverO2
thank you for your elaborated explanation
which helps so much to easily understand what it is about.

jsmeix commented at 2020-04-15 14:39:¶

With https://github.com/rear/rear/pull/2363 merged
this issue is fixed.

@OliverO2
thank you for your valuable fix and enhancement
that makes ReaR work more fail safe!

[Export of Github issue for rear/rear.]

#2362 Issue closed: Match section at the end of sshd_config prevents SSH root login¶

OliverO2 opened issue at 2020-04-14 13:53:¶

Example:¶

jsmeix commented at 2020-04-15 08:39:¶

jsmeix commented at 2020-04-15 14:39:¶

#2362 Issue `closed`: Match section at the end of sshd_config prevents SSH root login¶