Information
The /etc/ssh/sshd_config file defines SSH server behavior.
The SSH daemon reads the configuration information from this file and includes the authentication mode and cryptographic levels to use during SSH communication.
Solution
Change the permissions of the /etc/ssh/sshd_config file to ensure all accounts can read the file but only the owner (root) can modify it:
chmod u=rw,go=r /etc/ssh/sshd_config
Impact:
Some organizations feel all configuration information for OpenSSH server must be confidential - and many other benchmarks recommend exclusive root access to the file /etc/ssh/sshd_config This configuration will work UNLESS sftp access is required by non-root users.
Non-root users (when mode is octal 0600) cannot load_server_config and the connection closes even though authentication succeeded.
Jun 25 14:42:45 x071 auth|security:info sshd[12255378]: Accepted password for michael from 192.168.129.65 port 32810 ssh2
Jun 25 14:42:45 x071 auth|security:info sftp-server[7077962]: session opened for local user michael from [192.168.129.65]
Jun 25 14:42:45 x071 auth|security:debug sftp-server[7077962]: debug2: load_server_config: filename /etc/ssh/sshd_config
Jun 25 14:42:45 x071 auth|security:info sshd[8847468]: Received disconnect from 192.168.129.65 port 32810:11: disconnected by user
Jun 25 14:42:45 x071 auth|security:info sshd[8847468]: Disconnected from user michael 192.168.129.65 port 32810
- This is what is needed for the sftp-server to start:
Jun 25 14:45:10 x071 auth|security:info sshd[7077994]: Accepted password for michael from 192.168.129.65 port 32812 ssh2
Jun 25 14:45:10 x071 auth|security:info sftp-server[11272308]: session opened for local user michael from [192.168.129.65]
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug2: load_server_config: filename /etc/ssh/sshd_config
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug2: load_server_config: done config len = 288
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug2: parse_server_config: config /etc/ssh/sshd_config len 288
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:34 setting SyslogFacility AUTH
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:36 setting LogLevel INFO
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:114 setting Banner /etc/banner
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:117 setting Subsystem sftpt/usr/sbin/sftp-server -l DEBUG3 -f AUTH
Jun 25 14:45:10 x071 auth|security:info sftp-server[11272308]: received client version 3
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: request 0: realpath
Jun 25 14:45:10 x071 auth|security:info sftp-server[11272308]: realpath "."
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug1: request 0: sent names count 1
- The recommendation is to stay with the default file mode (octal 0644) unless site policy requires octal 0600 AND it is acceptable that sftp will not function.
- Choosing octal 0600 is considered a Level 2 recommendation