You are not logged in.

Pages: 1

#1 2024-07-06 09:11:57

wurzelbenutzer
Member
Registered: 2022-10-24
Posts: 2

systemd 256.1 can cause ssh disconnect Too many authentication failure

In case AuthorizedKeysCommand is configured in 

/etc/ssh/sshd_config

recent updates of systemd overwrite this command.
To verify, if you are hit following command can be used: 

sshd -T | grep -i AuthorizedKeysCommand

Workaround add local configuration to 

/etc/ssh/sshd_config.d/19-authorizedkeyscommand.conf

Upstream Bug is reported.

Offline

#2 2024-07-13 12:15:29

ua4000
Member
Registered: 2015-10-14
Posts: 492

Re: systemd 256.1 can cause ssh disconnect Too many authentication failure

/etc/ssh/sshd_config is owned by openssh 9.8p1-1

- So changes here have nothing to do with a systemd update.
- 2nd: a system update normally doesn't overwrite your config.
I suspect something is wrong with your system or your update procedure.

It would be interesting if you link your bug report here.

Offline

#3 2024-07-13 13:57:14

wurzelbenutzer
Member
Registered: 2022-10-24
Posts: 2

Re: systemd 256.1 can cause ssh disconnect Too many authentication failure

I added two lines (AuthorizedKeysCommand and AuthorizedKeysUser) at the end of sshd_config (while the Include is the very first line)
This works fine until the update of systemd.

Offending file /etc/ssh/sshd_config.d/20-systemd-userdb.conf is owned by systemd 256.2-1.

Later definitions are not overwriting earlier definition for sshd_config. As a result, my AuthorizedKeysCommand was not executed.

For me, the consequence was that the system was not accessible via ssh. I was surprised that an unrelated update can influence openssh.

I think, it is an upstream bug https://github.com/systemd/systemd/issues/33648.

My update sequence was straight forward (pacman -Syu and hits my newer installations with Include  /etc/ssh/sshd_config.d/*.conf in it.)

To summarize:
- sshd_config Include /etc/ssh/sshd_config.d/*.conf was added only a few years ago (so older installations with same config are not hit)
- Only one AuthorizedKeysCommand directive is allowed
- sshd_config later definitions do not override earlier definitions
- systemd adds per default /etc/ssh/sshd_config.d/20-systemd-userdb.conf that requires unexpected manual intervention in openssh packages

I'm not sure, how to solve this. I hope this can guide somebody else to a workaround.

Offline

#4 2024-07-13 14:52:03

seth
Member
Registered: 2012-09-03
Posts: 60,792

Re: systemd 256.1 can cause ssh disconnect Too many authentication failure

I'm not sure, how to solve this.

Workaround add local configuration to

/etc/ssh/sshd_config.d/00-my-system-my-rules-lennart.conf

Basically https://gitlab.archlinux.org/archlinux/ … c3404ef894 is a shift in how to configure sshd, with the main file effectively becoming a documentation of the defaults.
The huge benefit of the drop-in config is that you won't have to deal w/ pacnew versions (and also 3rd packages can reconfigure sshd) - the downside is that the config might be changed w/o you noticing it.

I'll spare us all the rant about the userdb nonsense and systemd audacity at shoving it… well, I said I'll spare us that.


sshd_config Include /etc/ssh/sshd_config.d/*.conf was added only a few years ago (so older installations with same config are not hit)

man pacdiff # :P

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#5 2024-07-13 17:48:42

ua4000
Member
Registered: 2015-10-14
Posts: 492

Re: systemd 256.1 can cause ssh disconnect Too many authentication failure

wurzelbenutzer wrote:

For me, the consequence was that the system was not accessible via ssh. I was surprised that an unrelated update can influence openssh.

Not surprisingly,
https://man.archlinux.org/man/sshd_config.5
states

Unless noted otherwise, for each keyword, the first obtained value will be used.


Edit:
next to "sudo sshd -t; echo $?" which show if the config is fine, "sudo sshd -T" will show the entire used config.

Last edited by ua4000 (2024-07-13 17:51:00)

Offline

#6 2024-07-13 20:22:08

seth
Member
Registered: 2012-09-03
Posts: 60,792

Re: systemd 256.1 can cause ssh disconnect Too many authentication failure

post #1 wrote:

sshd -T | grep -i AuthorizedKeysCommand

post #3 wrote:

Later definitions are not overwriting earlier definition for sshd_config. As a result, my AuthorizedKeysCommand was not executed.

The "surprise" is that systemd figures it needs to mess with ones sshd config to push the NIH version of /etc/passwd

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#7 2024-07-25 10:33:54

ua4000
Member
Registered: 2015-10-14
Posts: 492

Re: systemd 256.1 can cause ssh disconnect Too many authentication failure

Since correct sshd config is vital, I have disabled drop-in configs since some time - I put all my desired options in sshd_config and have no include option there.
So no package can add or change something automatically.

Offline

Pages: 1

Board footer

Powered by FluxBB