check the sshd config before sshd restart

[artem-sidorenko]

• https://github.com/dev-sec/ansible-ssh-hardening/blob/f0cbcc5536a46aa11a40c5c6f31c07fe006cd95c/tasks/hardening.yml#L38
• add option to skip ssh restart handler ansible-ssh-hardening#209 (comment)

We should check the sanity of sshd config before we restart sshd

[fmietka]

Hello,

I am attempting to utilize this in one of my cookbooks and am failing during an sshd restart. My issue is the same as: TalkingQuickly/rails-server-template#11

That issue is from 2014 but maybe it has something to do with the version of Ubuntu I am using (18.04). Here is the error:
"
Recipe: ssh-hardening::server
* service[sshd] action restart

       ================================================================================
       Error executing action `restart` on resource 'service[sshd]'
       ================================================================================
       
       Mixlib::ShellOut::ShellCommandFailed
       ------------------------------------
       Expected process to exit with [0], but received '1'
       ---- Begin output of /bin/systemctl --system restart ssh ----
       STDOUT: 
       STDERR: Job for ssh.service failed because the control process exited with error code.
       See "systemctl status ssh.service" and "journalctl -xe" for details.
       ---- End output of /bin/systemctl --system restart ssh ----
       Ran /bin/systemctl --system restart ssh returned 1
       
       Resource Declaration:
       ---------------------
       # In /tmp/kitchen/cache/cookbooks/ssh-hardening/recipes/server.rb

"

Exact Error in Code:
"FATAL: Mixlib::ShellOut::ShellCommandFailed: service[sshd] (ssh-hardening::server line 136) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
---- Begin output of /bin/systemctl --system restart ssh ----
"
Cheers,

Filip M

[artem-sidorenko]

@fmietka after this failure, can you invoke `journalctl -u sshd´ and check the output? Usually this is related to some syntax error within ssh configuration options. Did you set any custom attributes?

[fmietka]

Hi @artem-sidorenko, since the cookbook fails on ssh-hardening, I actually can't ssh into the box at all and run that command unfortunately. Here are the attributes we are defining in our default.rb:

default['ssh-hardening']['ssh']['server']['mac']
default['ssh-hardening']['ssh']['server']['cipher']
default['ssh-hardening']['ssh']['server']['extras']

When I comment them out then the cookbook works. Not really sure why we had those in there in the first place. Do you recommend leaving those defaulted (aka "nil")? Where can I find some examples of what those can be set to. There must have been something wrong with one of them. Thanks for that catch!

Cheers,

Filip M

[artem-sidorenko]

@fmietka if you open the ssh session prior to the deployment, you still should be able to have/keep access. sshd restart applies only to the new sessions and the old sshd forked processes keep running till the end.

Regarding the defaults: they depend on the openssh version and distro, you can have a look to https://github.com/dev-sec/chef-ssh-hardening/blob/master/libraries/devsec_ssh.rb , this library provides the according defaults

[fmietka]

@artem-sidorenko so I used the defaults for mac and cipher and it converged successfully. When I ran a "journalctl -u sshd" it did not find any entries. However when I ran a "journalctl -u ssh" it returned my user request to ssh into the box. Was the "journalctl -u sshd" supposed to have " ---No Entries---"?

Additionally we are setting this attribute which i believe is causing the confusion above:
default['ssh_service'] = platform_family?('suse', 'rhel') ? 'sshd' : 'ssh'

[artem-sidorenko]

@fmietka my bad, the service name on ubuntu is ssh. So everything looks good. Your problem is related to the ciphers/macs, some syntax error or not supported configuration

[fmietka]

@artem-sidorenko Thank you sir, I appreciate the help!