check the sshd config before sshd restart

[artem-sidorenko]

• https://github.com/dev-sec/ansible-ssh-hardening/blob/f0cbcc5536a46aa11a40c5c6f31c07fe006cd95c/tasks/hardening.yml#L38
• https://github.com/dev-sec/ansible-ssh-hardening/issues/209#issuecomment-474736262

We should check the sanity of sshd config before we restart sshd

[fmietka]

Hello,

I am attempting to utilize this in one of my cookbooks and am failing during an sshd restart. My issue is the same as: https://github.com/TalkingQuickly/rails-server-template/issues/11

That issue is from 2014 but maybe it has something to do with the version of Ubuntu I am using (18.04). Here is the error: " Recipe: ssh-hardening::server

• service[sshd] action restart

     ================================================================================
     Error executing action `restart` on resource 'service[sshd]'
     ================================================================================
  
     Mixlib::ShellOut::ShellCommandFailed
     ------------------------------------
     Expected process to exit with [0], but received '1'
     ---- Begin output of /bin/systemctl --system restart ssh ----
     STDOUT: 
     STDERR: Job for ssh.service failed because the control process exited with error code.
     See "systemctl status ssh.service" and "journalctl -xe" for details.
     ---- End output of /bin/systemctl --system restart ssh ----
     Ran /bin/systemctl --system restart ssh returned 1
  
     Resource Declaration:
     ---------------------
     # In /tmp/kitchen/cache/cookbooks/ssh-hardening/recipes/server.rb

  "

Exact Error in Code: "FATAL: Mixlib::ShellOut::ShellCommandFailed: service[sshd] (ssh-hardening::server line 136) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1' ---- Begin output of /bin/systemctl --system restart ssh ---- " Cheers,

Filip M

[artem-sidorenko]

@fmietka after this failure, can you invoke `journalctl -u sshd´ and check the output? Usually this is related to some syntax error within ssh configuration options. Did you set any custom attributes?

[fmietka]

Hi @artem-sidorenko, since the cookbook fails on ssh-hardening, I actually can't ssh into the box at all and run that command unfortunately. Here are the attributes we are defining in our default.rb:

default['ssh-hardening']['ssh']['server']['mac'] default['ssh-hardening']['ssh']['server']['cipher'] default['ssh-hardening']['ssh']['server']['extras']

When I comment them out then the cookbook works. Not really sure why we had those in there in the first place. Do you recommend leaving those defaulted (aka "nil")? Where can I find some examples of what those can be set to. There must have been something wrong with one of them. Thanks for that catch!

Cheers,

Filip M

[artem-sidorenko]

@fmietka if you open the ssh session prior to the deployment, you still should be able to have/keep access. sshd restart applies only to the new sessions and the old sshd forked processes keep running till the end.

Regarding the defaults: they depend on the openssh version and distro, you can have a look to https://github.com/dev-sec/chef-ssh-hardening/blob/master/libraries/devsec_ssh.rb , this library provides the according defaults

[fmietka]

@artem-sidorenko so I used the defaults for mac and cipher and it converged successfully. When I ran a "journalctl -u sshd" it did not find any entries. However when I ran a "journalctl -u ssh" it returned my user request to ssh into the box. Was the "journalctl -u sshd" supposed to have " ---No Entries---"?

Additionally we are setting this attribute which i believe is causing the confusion above: default['ssh_service'] = platform_family?('suse', 'rhel') ? 'sshd' : 'ssh'

[artem-sidorenko]

@fmietka my bad, the service name on ubuntu is ssh. So everything looks good. Your problem is related to the ciphers/macs, some syntax error or not supported configuration

[fmietka]

@artem-sidorenko Thank you sir, I appreciate the help!