New cPanel update cause SSH issue
I have following code in my ssh /etc/ssh/sshd_config file to allow our internal network to use password authentication.
However, the new cpanel update added following line to the bottom of /etc/ssh/sshd_config file which caused SSHD down because the "Match address" has to be on the bottom of the sshd config file. I've manually moved the "Match address" part to the bottom to fix the issue. I am wondering how to prevent this issue?
Match address 192.168.1.0/24
PasswordAuthentication yes
However, the new cpanel update added following line to the bottom of /etc/ssh/sshd_config file which caused SSHD down because the "Match address" has to be on the bottom of the sshd config file. I've manually moved the "Match address" part to the bottom to fix the issue. I am wondering how to prevent this issue?
DenyGroups cpaneldemo cpanelsuspended
-
Same issue and thanks for the fix! 0 -
Hello, Thanks for bringing this up. The update to cPanel today introduced a change to the ssh configuration with the interest of increasing security. If there are MatchBlock entries in the ssh configuration, the new DenyGroups directive will interrupt the MatchBlock directive, causing configuration syntax errors. e When this is fixed, you will see case number CPANEL-13176 marked as fixed in the cPanel changelog at changelog.cpanel.net. I apologize for any inconvenience that this has caused. In the meantime, as a workaround, removing the new directive, or editing /etc/ssh/sshd_config to allow the new directive to work will allow ssh to work normally again. 0 -
Hello, If you are unable to log into SSH but WHM is accessible, there is a script that will provide a minimal, default configuration of SSH to allow you to log in again. To use this script, you append the following to the url for WHM: /scripts2/doautofixer?autofix=safesshrestart
For example, if your server's address is 1.2.3.4, this url will provide a temporary ssh instance that will allow login:https://1.2.3.4:2087/scripts2/doautofixer?autofix=safesshrestart
Take note of the output from running that script, as it may restart ssh on a port other than 22 if somehow the previous ssh instance is still running.0 -
This shut me out of SSH too... What a great morning I've had... Thanks cPanel! 0 -
This topic is not resolved! Yes - I also just had to deal with this on 4 servers. We also use the MatchBlock directive to limit SSH logins internally. The DenyGroups directive that was appended to the bottom of the sshd_config has prevented us from being able to access the server via ssh. What is this ? DenyGroups cpaneldemo cpanelsuspended Is it needed ? Is there any documentation on this new directive? We had to login via datacentre local machine (console) and used VI to edit sshd_config to fix the issue. However, it would be great if cPanel could enable the use of the MatchBlock not in the footer - in case of future additional new directives being added during updates - or maybe it's an openssh issue? 0 -
This topic is not resolved! Yes - I also just had to deal with this on 4 servers. We also use the MatchBlock directive to limit SSH logins internally. The DenyGroups directive that was appended to the bottom of the sshd_config has prevented us from being able to access the server via ssh. What is this ? DenyGroups cpaneldemo cpanelsuspended Is it needed ? Is there any documentation on this new directive? We had to login via datacentre local machine (console) and used VI to edit sshd_config to fix the issue. However, it would be great if cPanel could enable the use of the MatchBlock not in the footer - in case of future additional new directives being added during updates - or maybe it's an openssh issue?
Hi there, The DenyGroups line is necessary to prevent potential abuse for suspended and demo accounts. We currently anticipate to publish an autofixer to remediate any broken ssh configurations by moving this line above any Match blocks in sshd_config. In the future, modifications to the sshd_config will always occur before any Match directives to prevent these sorts of issues. DenyGroups cpaneldemo cpanelsuspended can also be manually moved above any Match blocks if you are currently experiencing this issue.0 -
We also got "hit" by this problem. I was lucky enough to get a KVM running or I would have to drive 4 hours to get to the physical console. Thanks for the WHM trick, it may save us also :) For "DenyGroups cpaneldemo cpanelsuspended", I have commented out the line. Could you please let us know if a fix for it will be released automatically or should I manually fix it? A solution could be a "Match all" between the "Match Group" and "DenyGroups cpaneldemo cpanelsuspended"? 0 -
We also got "hit" by this problem. I was lucky enough to get a KVM running or I would have to drive 4 hours to get to the physical console. Thanks for the WHM trick, it may save us also :) For "DenyGroups cpaneldemo cpanelsuspended", I have commented out the line. Could you please let us know if a fix for it will be released automatically or should I manually fix it? A solution could be a "Match all" between the "Match Group" and "DenyGroups cpaneldemo cpanelsuspended"?
Just saw your previous answer... Thanks! I just move the "DenyGroups..." before the "Match Group..." and restarted sshd.0 -
Hello, Thank you for the feedback. These updates are part of the TSR-2017-003 security update. The information about these updates is scheduled to be released tomorrow. More about this update is available here: cPanel TSR-2017-0003 Announcement | cPanel Newsroom Typically with TSR updates, they are released with an announcement, then the disclosure is released after a time period to allow vulnerabilities to be fixed before they are explained. More information about this will be available when the disclosure is released tomorrow. Also, an autofixer script has been created to work around this, which has just been published. To fix this, one can either run the cPanel update or go to https://1.2.3.4:2087/scripts2/doautofixer?autofix=sshd_denygroups
0 -
Hi! Thanks for the information! I have move the "Denygroup" to avoid the problem, everything should be fine (for future updated to CPanel and from a security point of view)? 0 -
why not insert the Denygroup automatically above any detected Match directives (1st instance found for Match) ? 0 -
why not insert the Denygroup automatically above any detected Match directives (1st instance found for Match) ?
As part of case CPANEL-13176 (to be released in v66+), the security team responsible for the original update is re-working the code that manages the ssh configuration to ensure a broad range of sshd_config customizations can be handled. In the mean time this was resolved via the auto-fix that was released as part of CPANEL-131780
Please sign in to leave a comment.
Comments
12 comments