[BlueOnyx:16897] Re: sshd_config

[Michael Stauber]

Hi Matthew,

> My sshd_config keeps getting overwritten. I think it's
> coming as a result of some BlueOnyx rpm though I'm
> not 100% certain.

Yes. BlueOnyx modifies the sshd_config. There are certain parameters in
it that we change to match the ones that you configured in the GUI for
SSHd. This will not replace sshd_config entirely. It just edits the
selected few parameters that the GUI manages.

> I've changed:
> 
> AllowTcpForwarding yes
> PermitRootLogin without-password

Which are both "reserved" parameters which we manage.
"AllowTcpForwarding" is off as it would allow bouncing SPAM to users
even if their account has no shell.

"PermitRootLogin" is reserved as well and we allow only "yes" or "no" as
options.

So here is what you can do:

To get your root logins working enable "root" access in the SSH config
in the GUI. That will set that parameter to "yes". Then use SSH key or
certificate access instead and you don't have to worry about entering a
password on login as long as you come from a box that's known and
trusted, or has the matching key or certificate.

As for "AllowTcpForwarding": You can enable it on a per user basis in
sshd_config. There is a comment in sshd_config that explains how to do
it. You just can't turn it on for everyone, as that would be (security
wise) a bad idea.

-- 
With best regards

Michael Stauber