Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Use the ssh man page as a starting point for sshd_config Network
Having lost part of a Sunday getting a hardened SSH to work between my various machines, it was a pleasure to recover by writing a Python script to create an /etc/sshd_config file I could actually read. Here's the script, which I've named sshd_config.py, to transform /etc/sshd_config into a more literate form, based on the man page for sshd_config.

To harden SSH on OS X, one modifies /etc/sshd_config. The web abounds with advice on what options to set, some of which are now deprecated. For others, the man page and Apple's /etc/sshd_config disagree on which is the default value. In these cases, /etc/sshd_config appears to be correct, but one cannot be sure.

This script creates a commented copy of the man page for sshd_config, and modifies it by inserting default values from /etc/sshd_config into each option heading, and inserting statements. It also sets each option which is set by /etc/sshd_config. The output file can be used as a more literate /etc/sshd_config, which one can now edit with some hope of understanding what is going on.

Sample use: Move the Python script to a work directory, make it executable, and execute the command line
./sshd_config.py /etc/sshd_config sshd_config
Best practice: Copy Apple's original to a safe place before replacing /etc/sshd_config with a modified copy. Many other hints here cover what your local copy could or should say.

Advice, in case of trouble with SSH: Execute the command sudo grep sshd /var/log/secure.log on each host machine, and believe what you read. One can ssh onto one's local machine as if one is elsewhere, so try all possible (from, to) pairs including self-connections, to see where the problem is: Are you having trouble whenever machine A is involved, or whenever machine B is involved? Whenever machine A is the host? Having four data points really helps isolate what's wrong.

[robg adds: This seemed to work as described when I tested it.]
    •    
  • Currently 2.13 / 5
  You rated: 4 / 5 (8 votes cast)
 
[7,578 views]  

Use the ssh man page as a starting point for sshd_config | 3 comments | Create New Account
Click here to return to the 'Use the ssh man page as a starting point for sshd_config' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use the ssh man page as a starting point for sshd_config
Authored by: CarlRJ on Feb 20, '08 10:37:45AM

So, first off, either the call to popen should have "/usr/bin/" prepended to each of the command names (man, col, expand, sed), or whatever python magic necessary should be done to prepend /usr/bin to the path to ensure that the script actually runs the expected programs (I have a front-end to man in my ~/bin directory which got run instead of /usr/bin/man).

Second (after working around the above problem)... the output doesn't make a lot of sense to me. I end up with parts of the man page copied into the output file (second command line arg) as comments, but the interesting part (all the tweaks I've made to sshd_config) all go to stdout (apparently from the "print line" at the end of the "edit man page to insert option values" section). Surely you wanted to interpolate those into the output file...?

For what it's worth, this is running on a Tiger system.



[ Reply to This | # ]
Use the ssh man page as a starting point for sshd_config
Authored by: cva on Feb 20, '08 05:57:56PM

I had the same problem. Then I realized that for some reason all of the \'s were missing.

Here's the diff FWIW:

cva:~ $ diff sshd_config_py.txt sshd_config.py
50c50
< pat = r'^(# [A-Z]+[a-z][a-zA-Z]*)s{2,}(S.*)$'
---
> pat = r'^(# [A-Z]+[a-z][a-zA-Z]*)\s{2,}(\S.*)$'
73c73
< pat = r'^(#)?([A-Z][a-z][a-zA-Z]+)s+(.*)$'
---
> pat = r'^(#)?([A-Z][a-z][a-zA-Z]+)\s+(.*)$'
82c82
< new[index] = '# %s %sn' % (option, value)
---
> new[index] = '# %s %s\n' % (option, value)
84c84
< new[index] += 'n%s %snn' % (option, value)
---
> new[index] += '\n%s %s\n\n' % (option, value)



[ Reply to This | # ]
Use the ssh man page as a starting point for sshd_config
Authored by: cva on Feb 20, '08 06:01:45PM

oops, looks like I missed a couple. Here's the real diff ;)

cva:~ $ diff sshd_config_py.txt sshd_config.py
50c50
< pat = r'^(# [A-Z]+[a-z][a-zA-Z]*)s{2,}(S.*)$'
---
> pat = r'^(# [A-Z]+[a-z][a-zA-Z]*)\s{2,}(\S.*)$'
57,58c57,58
< new.append("%sn" % option)
< new.append("# %sn" % text)
---
> new.append("%s\n" % option)
> new.append("# %s\n" % text)
73c73
< pat = r'^(#)?([A-Z][a-z][a-zA-Z]+)s+(.*)$'
---
> pat = r'^(#)?([A-Z][a-z][a-zA-Z]+)\s+(.*)$'
82c82
< new[index] = '# %s %sn' % (option, value)
---
> new[index] = '# %s %s\n' % (option, value)
84c84
< new[index] += 'n%s %snn' % (option, value)
---
> new[index] += '\n%s %s\n\n' % (option, value)



[ Reply to This | # ]