On 10/09/2021 13:11, Greg Wooledge wrote:
Not matching what's in the file:
awk 'NR==25' /etc/ssh/sshd_config
awk 'NR==28' /etc/ssh/sshd_config
awk 'NR==29' /etc/ssh/sshd_config
# Lifetime and size of ephemeral version 1 server key
OK, so "it" is in fact "The warnings in syslog contain line numbers which
do not align with the line numbers of the file that I see"?
Seems harmless enough -- just comment out the offending options wherever
they are, ignoring the line numbers in the warnings.
All these lines have been commented out but, as David Wright pointed
out, commenting out isn't enough to stop them being the defaults.
Ssh doesn't seem to be reading the local /etc/ssh/sshd_config as the
line numbers mismatch.
The service hasn't been restarted around that time and the file hasn't been
modified for even longer:
systemctl status ssh.service | grep running
Active: active (running) since Wed 2021-08-18 17:36:45 UTC; 3 weeks 1
days ago
All right, now we're getting somewhere.
Is it possible that these lines are being remotely syslogged to you from
another host?
It's unfortunate that you omitted most of the systemctl output. It would
have been nice to see whether PID 145 is actually sshd on this host. You
could also check by hand, of course: ps -fp 145 and ps -ef | grep sshd
PID 145 doesn't match anything that I could identify.
This container:
openssh-server 7.9p1-10+deb10u2
systemctl status ssh.service
* ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor
preset: enabled)
Active: active (running) since Wed 2021-08-18 17:36:45 UTC; 3 weeks
1 days ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 137 ExecStartPre=/usr/sbin/sshd -t (code=exited,
status=0/SUCCESS)
Main PID: 165 (sshd)
Tasks: 1 (limit: 4915)
Memory: 11.1M
CGroup: /system.slice/ssh.service
`-165 /usr/sbin/sshd -D
LXC parent:
openssh-server 7.9p1-10+deb10u2
systemctl status sshd.service
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor
preset: enabled)
Active: active (running) since Wed 2021-08-18 18:31:24 BST; 3 weeks
1 days ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 1659 ExecStartPre=/usr/sbin/sshd -t (code=exited,
status=0/SUCCESS)
Main PID: 1910 (sshd)
Tasks: 1 (limit: 4915)
Memory: 34.3M
CGroup: /system.slice/ssh.service
└─1910 /usr/sbin/sshd -D
You might also want to double-check "journalctl -u ssh" against the
contents of the syslog file. As far as I know, the systemd journal
cannot accept input from a foreign host, so it should always show
info that comes from services running on localhost.
None of the deprecated options can be found in journalctl:
journalctl -u ssh | grep UsePrivilegeSeparation
journalctl -u ssh | grep KeyRegenerationInterval
etc.
There is actually a gap when the warnings are logged:
Aug 28 10:10:22 deb10 sshd[16443]: Did not receive identification string
from...
Aug 28 10:14:05 deb10 sshd[16444]: Connection from...
The mysterious warnings arrive in 2 waves at:
Aug 28 10:12:30
Aug 28 10:12:31
Would it be possible for another host to log to syslog without a prior
explicit manual configuration allowing that?
