On 10/09/2021 13:11, Greg Wooledge wrote:

Not matching what's in the file:

awk 'NR==25' /etc/ssh/sshd_config

awk 'NR==28' /etc/ssh/sshd_config

awk 'NR==29' /etc/ssh/sshd_config
# Lifetime and size of ephemeral version 1 server key
OK, so "it" is in fact "The warnings in syslog contain line numbers which
do not align with the line numbers of the file that I see"?

Seems harmless enough -- just comment out the offending options wherever
they are, ignoring the line numbers in the warnings.
All these lines have been commented out but, as David Wright pointed out, commenting out isn't enough to stop them being the defaults. Ssh doesn't seem to be reading the local /etc/ssh/sshd_config as the line numbers mismatch.
The service hasn't been restarted around that time and the file hasn't been
modified for even longer:

systemctl status ssh.service | grep running
    Active: active (running) since Wed 2021-08-18 17:36:45 UTC; 3 weeks 1
days ago
All right, now we're getting somewhere.

Is it possible that these lines are being remotely syslogged to you from
another host?

It's unfortunate that you omitted most of the systemctl output.  It would
have been nice to see whether PID 145 is actually sshd on this host.  You
could also check by hand, of course:  ps -fp 145   and   ps -ef | grep sshd

PID 145 doesn't match anything that I could identify.

This container:
openssh-server 7.9p1-10+deb10u2

systemctl status ssh.service
* ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)    Active: active (running) since Wed 2021-08-18 17:36:45 UTC; 3 weeks 1 days ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 137 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 165 (sshd)
    Tasks: 1 (limit: 4915)
   Memory: 11.1M
   CGroup: /system.slice/ssh.service
           `-165 /usr/sbin/sshd -D

LXC parent:
openssh-server 7.9p1-10+deb10u2

systemctl status sshd.service

● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)    Active: active (running) since Wed 2021-08-18 18:31:24 BST; 3 weeks 1 days ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 1659 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 1910 (sshd)
    Tasks: 1 (limit: 4915)
   Memory: 34.3M
   CGroup: /system.slice/ssh.service
           └─1910 /usr/sbin/sshd -D

You might also want to double-check "journalctl -u ssh" against the
contents of the syslog file.  As far as I know, the systemd journal
cannot accept input from a foreign host, so it should always show
info that comes from services running on localhost.
None of the deprecated options can be found in journalctl:

journalctl -u ssh | grep UsePrivilegeSeparation
journalctl -u ssh | grep KeyRegenerationInterval
etc.

There is actually a gap when the warnings are logged:

Aug 28 10:10:22 deb10 sshd[16443]: Did not receive identification string from...
Aug 28 10:14:05 deb10 sshd[16444]: Connection from...

The mysterious warnings arrive in 2 waves at:

Aug 28 10:12:30
Aug 28 10:12:31

Would it be possible for another host to log to syslog without a prior explicit manual configuration allowing that?

Reply via email to