BUG: SSH daemon configuration output broken, if "Match" directives in sshd_config

Hello All,

The SSH daemon configuration (sshd_config) check, does not work if there are „Match“ directives in the sshd_config, like in this example…

cat /etc/ssh/sshd_config
[…]
PasswordAuthentication no
[…]
Match Group 123_sftp_only
PasswordAuthentication yes

In this cases the agent to outputs data like this…
[…]
PasswordAuthentication: noyes
[…]
Therefore the check is always “Critical”, no matter if “Allow password authentication” is configured Yes or No.

A potential solution would be to base the agent on the output of “/sbin/sshd -T -C user=root” (user to be configurable), instead of relying on the content of sshd_config.
The sshd output is more consistent in content and ignores upper/lowercase.

1 Like