Dealing with /etc/ssh/sshd_config.d/*.conf files

[aleprovencio]

Hi !
I have some machines that cloud-init places a /etc/ssh/sshd_config.d/50-cloud-init.conf file with PasswordAuthentication yes, overriding what I have set via this role (PasswordAuthentication no).

Taking into consideration that in this particular case I must not instruct cloud-init to do otherwise, is there a recommended way of preventing this situation, or should I make an additional ansible task to remove the Include /etc/ssh/sshd_config.d/*.conf from /etc/ssh/sshd_config?

[Oberfeldwedler]

I found a workaround, but it's not pretty. My approach was to override security_ssh_config_path with a file in /etc/ssh/sshd_config.d/.
This is suprisingly hard to accomplish, because the included vars from name: Include OS-specific variables. have precedence over anything except extra vars directly in the command line.

I executed ansible-playbook -K --extra-vars security_ssh_config_path=/etc/ssh/sshd_config.d/49_ssh_hardening.conf main.yml

I also had to add a create: true in name: Update SSH configuration to be more secure., which probably should have been there in the first place, because it is present in all of the following tasks.

I also don't get, why i had do prefix a lower number to the config file instead of a higher one. Maybe sb can shed some light on that, because i thought it would read lexicographically.

In general I think to move all custom configuration into sshd_config.d/*.conf is the better approach. I'm however uncertain how to deal with existing config files.

This is how I am running right now: https://github.com/Oberfeldwedler/ansible-role-security/tree/move_config_to_sshd_config.d

[aleprovencio]

In general I think to move all custom configuration into sshd_config.d/*.conf is the better approach. I'm however uncertain how to deal with existing config files.

Yeah, we can both agree on this, also being able to configure the priority level of this file would be a nice touch.

Thanks for your effort delving into it :)

[d-tork]

When I figured out why SSH was asking me for my password a lot, and when I intentionally left off my SSH key to find it would still let me in, this struck me as a huge vulnerability. Having used this role to configure multiple servers and thinking I had hardened SSH only to find out that someone with merely the password and connection details could login, I immediately corrected it with this change: b3866d5

I am trying to start a PR but unfortunately my fork is way beyond Jeff's repo with personal changes, and I wasn't set up to rebase on top of his quickly.

https://askubuntu.com/questions/1488130/what-is-the-use-of-setting-up-openssh-on-ubuntu-live-server-22-04/1488143#1488143
This stack overflow post mentions the cause and the corresponding bug.

[github-actions]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[github-actions]

This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.