search

omega8cc / boa

Barracuda Octopus Aegir 5.5.0-PRO
https://omega8.cc/compare
394 stars 75 forks source link

sshd failed to start after reboot 5.4.0-lts > 5.5.0-lts #1832

Open petrowsky opened 6 days ago

petrowsky commented 6 days ago

I've got a few older boa servers that have been dragged along over time (not even hosting drupal - just some vhosts) - this one is PRETTY old. I did an update today and sshd would not start.

Had to use the web console via my provider (linode) to get in.

The issue may be linked to this function.

https://github.com/omega8cc/boa/blob/74f2e6c434990997590a16011856537c60b2d024/lib/functions/system.sh.inc#L8257

I'm guessing at some point you went back to the default location for sshd files. Looks like /usr/etc was cleared out.

My default /etc/ssh/sshd_config had the following still enabled and were never commented out.

...
# HostKey for protocol version 1
#HostKey /usr/etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /usr/etc/ssh_host_rsa_key << Never commented out
HostKey /usr/etc/ssh_host_dsa_key << Same
#HostKey /usr/etc/ssh_host_ecdsa_key
#HostKey /usr/etc/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
...

sshd couldn't find the keys so...

Starting OpenBSD Secure Shell server: sshd/etc/ssh/sshd_config line 113: Directk
 failed!

Which was not the right error... but... sshd wouldn't start. This is probably an edge case as the server is quite old as you can see.

root@server: lt /var/backups/
-rw-------   1 root root   229K Nov 14  2012 barracuda-install-121114-1723.log
... MANY other updates ...
-rw-------   1 root root   4.7M Nov  9 13:12 barracuda-upgrade-241109-124503.log

Proof positive that your stack is solid! May not warrant a fix for scanning /etc/ssh/sshd_config but I thought I'd let you know.

petrowsky commented 6 days ago

Ok, update. I made an assumption it was the HostKey. Based on the line indication it was recent changes in sshd.

Found this.

I had a Match block and boa added the ending lines? Either way, the Match block has to be at the end or you need to use a Match all after your Match block. [Something BOA should consider?]

Previous

Match User user_name
  ChrootDirectory /path/location/%u
  ForceCommand internal-sftp
  AllowTCPForwarding no
  X11Forwarding no
  PasswordAuthentication yes
IgnoreUserKnownHosts no
PasswordAuthentication yes
UseDNS no
UsePAM no
PrintMotd yes
ClientAliveInterval 300
ClientAliveCountMax 10000

Fixed

Match User user_name
  ChrootDirectory /path/location/%u
  ForceCommand internal-sftp
  AllowTCPForwarding no
  X11Forwarding no
  PasswordAuthentication yes
Match all

IgnoreUserKnownHosts no
PasswordAuthentication yes
UseDNS no
UsePAM no
PrintMotd yes
ClientAliveInterval 300
ClientAliveCountMax 10000

This is what happens when you deviate from BOA defaults and use your server for other things. ;)

petrowsky commented 6 days ago

Looks like both issues mattered. I enabled the older HostKey to see if sshd -t still threw an error or fell back to defaults. Yep - not happy.

Unable to load host key: /usr/etc/ssh_host_rsa_key
Unable to load host key: /usr/etc/ssh_host_dsa_key
sshd: no hostkeys available -- exiting.
omega8cc commented 3 days ago

Hello,

Unfortunately, BOA currently assumes no modifications are made to the SSHD configuration. While we do have exceptions in place for custom MySQL, lshell, CSF, and PHP configurations—ensuring those customizations persist through Barracuda upgrades—there is no such exception for SSHD configurations.

This might be worth considering as a future addition to allow SSHD customizations to survive updates as well.

Thank you for your understanding, and please let us know if you have any questions or suggestions.