SSHD Process Stopped and Won't Start

Usually it would show up in the /var/log logfiles such as the LTM or messages logs, if I remember correctly.

 

 

 

CB

I got logged in as root and still get the permissions issue, do I need to chmod something?

 

 

Use the bigpipe shell utility to make changes to the system configuration.

 

For more information, see bigpipe sshd help.

 

 

The strategy used for options in the default sshd_config shipped with

 

OpenSSH is to specify options with their default value where

 

possible.

 

 

 

Port 22

 

Protocol 2,1

 

Protocol 2

 

AddressFamily any

 

 

It's best to leave this setting as it is and use "bigpipe sshd allow".

 

An even better idea is to make sure that your self-IPs do not allow traffic

 

on port 22. This is the default, so installations are secure by default.

 

ListenAddress 0.0.0.0

 

ListenAddress ::

 

 

HostKey for protocol version 1

 

HostKey /config/ssh/ssh_host_key

 

HostKeys for protocol version 2

 

HostKey /config/ssh/ssh_host_rsa_key

 

HostKey /config/ssh/ssh_host_dsa_key

 

 

Lifetime and size of ephemeral version 1 server key

 

KeyRegenerationInterval 1h

 

ServerKeyBits 768

 

 

Logging

 

obsoletes QuietMode and FascistLogging

 

SyslogFacility AUTH

 

LogLevel DEBUG

 

 

Authentication:

 

 

LoginGraceTime 2m

 

PermitRootLogin yes

 

StrictModes yes

 

MaxAuthTries 6

 

 

RSAAuthentication yes

 

PubkeyAuthentication yes

 

AuthorizedKeysFile .ssh/authorized_keys

 

 

For this to work you will also need host keys in /config/ssh/ssh_known_hosts

 

RhostsRSAAuthentication no

 

similar for protocol version 2

 

HostbasedAuthentication no

 

Change to yes if you don't trust ~/.ssh/known_hosts for

 

RhostsRSAAuthentication and HostbasedAuthentication

 

IgnoreUserKnownHosts no

 

Don't read the user's ~/.rhosts and ~/.shosts files

 

IgnoreRhosts yes

 

 

To disable tunneled clear text passwords, change to no here!

 

PasswordAuthentication yes

 

F5 Note

 

Password authentication should be left on "no". The above desription

 

is not quite correct. "PasswordAuthentication yes" means that sshd

 

reads /etc/passwd and /etc/shadow. Instead, BigIP uses

 

"KeyboardInteractive" mode, which uses PAM authentication.

 

PasswordAuthentication no

 

PermitEmptyPasswords no

 

 

 

Change to no to disable s/key passwords

 

ChallengeResponseAuthentication yes

 

 

Kerberos options

 

KerberosAuthentication no

 

KerberosOrLocalPasswd yes

 

KerberosTicketCleanup yes

 

KerberosGetAFSToken no

 

 

GSSAPI options

 

GSSAPIAuthentication no

 

GSSAPICleanupCredentials yes

 

 

This is enabled, PAM authentication is allowed through the

 

ChallengeResponseAuthentication and PasswordAuthentication.

 

UsePAM no

 

UsePAM yes

 

 

AllowTcpForwarding yes

 

GatewayPorts no

 

X11Forwarding no

 

X11DisplayOffset 10

 

X11UseLocalhost yes

 

PrintMotd yes

 

PrintLastLog yes

 

TCPKeepAlive yes

 

UseLogin no

 

UsePrivilegeSeparation yes

 

PermitUserEnvironment no

 

Compression delayed

 

ClientAliveInterval 0

 

ClientAliveCountMax 3

 

ClientAliveInterval 60

 

ClientAliveCountMax 10

 

UseDNS yes

 

PidFile /var/run/sshd.pid

 

MaxStartups 10

 

PermitTunnel no

 

 

 

override default of no subsystems

 

Subsystem sftp /usr/libexec/openssh/sftp-server

Here is the file permission for config for ssh

 

-rw------- 1 root root

 

 

I verified permissions, however it looks to be something deeper, if I do a dmesg on the box I see this for each time I have tried to start up the process.

 

 

SubDomain: REJECTING r access to /config/ssh/sshd_config (sshd(7227) profile /usr/sbin/sshd active /usr/sbin/sshd)

As a follow-up I found the SubDomain process which was causing this permissions error, once I stopped the process it allowed sshd to startup.

Did you configure subdomain to allow SSHD access to the sshd_config file? You can do so following a related solution (SOL9531 - Click here). That would be preferable to disabling subdomain entirely. Also, you might want to open a case with F5 Support to see if they can help you figure out how this could have happened. It's not very expected in normal use of LTM.

 

 

Aaron

I actually just came into the environment recently, so for the quick fix to get the F5 back into our monitoring I disabled subdomain, I am going back to make sure it is properly setup and will add SSHD in there.

 

 

Thanks guys!