-1

I am running open-ssh 7.8p1 on Redhat 7.0. I downloaded the package and executed the commands in order to install the package:

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-privsep-path=/var/lib/sshd --with-pam --with-xauth=/usr/bin/xauth

make

sudo make install

sshd/config: 

#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 20m
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

sshd status

ssh debug mode result:

debug2: load_server_config: done config len = 669
debug2: parse_server_config: config /etc/ssh/sshd_config len 669
debug3: /etc/ssh/sshd_config:22 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:24 setting HostKey /etc/ssh/ssh_host_ecdsa_key
debug3: /etc/ssh/sshd_config:25 setting HostKey /etc/ssh/ssh_host_ed25519_key
debug3: /etc/ssh/sshd_config:32 setting SyslogFacility AUTHPRIV
debug3: /etc/ssh/sshd_config:47 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: /etc/ssh/sshd_config:65 setting PasswordAuthentication yes
debug3: /etc/ssh/sshd_config:69 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:96 setting UsePAM yes
debug3: /etc/ssh/sshd_config:101 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:112 setting ClientAliveInterval 20m
debug3: /etc/ssh/sshd_config:126 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
debug3: /etc/ssh/sshd_config:127 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: /etc/ssh/sshd_config:128 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
debug3: /etc/ssh/sshd_config:129 setting AcceptEnv XMODIFIERS
debug3: /etc/ssh/sshd_config:132 setting Subsystem sftp /usr/libexec/openssh/sftp-server
debug1: sshd version OpenSSH_7.8, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: private host key #0: ssh-rsa SHA256:Gd4H0gToGhergccDgoCrmH03UPAfWcUd1NKusBGlls4
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:NxfjZIJ7oRPjfsBJKeSw/N3kf4iZMedZFnjePbLbyoc
debug1: private host key #2: ssh-ed25519 SHA256:CWwG5eZVSaU3hSizraB1blaeYfws4KI6NOWn1I8KC9Y
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.

I am trying to figure the problem and I tried to run sshd in debug mode and it didn't show any error. After 1 min the sshd service fails then it auto restarts.

I am able to login to the server, but when it fails and before starting again, I get Connection refused.

So If anyone please can suggest a solution for this issue?

user3210456
  • 1
  • 3
  • 2
    Why don't you just stick to the distro version and keep your system updated regularly? – Thomas Jul 20 '19 at 13:44
  • 1
    You shouldn't post pictures of text, instead you should show the (text) output of sshd in debug mode. – RalfFriedl Jul 20 '19 at 14:41
  • 1
    @Thomas The two big reasons I see for people doing things like this are: They don't know that the distro packages have security updates and are misled by the version number not changing (in which case they should just update the system); or they don't actually have a RHEL subscription (in which case they should subscribe or use CentOS instead). Even if neither of these apply, compiling it yourself is not usually a good business practice and there needs to be a really good overriding reason for it. – Michael Hampton Jul 20 '19 at 16:35
  • @Thomas The issue is that a security vulnerability scan is done over my server and a report is generated where they recommend to upgrade the ssh version to 7.8p1 which is not supported by RHEL rpm repository. So I downloaded the package and compile it myself. I referred to the security administration that all patches in higher versions are added to our package 7.4 as it's always up to date but they insisted to upgrade it in order to get rid of the security breach in version 7.4. – user3210456 Jul 20 '19 at 18:24
  • @MichaelHampton Please check the comment above. – user3210456 Jul 20 '19 at 18:24
  • @RalfFriedl I added the sshd output – user3210456 Jul 20 '19 at 18:27
  • 1
    That is the startup, everything seems fine. Is there no messages before the server terminates? – RalfFriedl Jul 20 '19 at 19:37
  • No, you don't upgrade by source code when a security scan identifies a vulnerability. You install the Red Hat provided update which resolves the vulnerability and then document it. – Michael Hampton Jul 21 '19 at 03:37
  • @RalfFriedl no messages. – user3210456 Jul 21 '19 at 11:47

1 Answers1

-1

I've found what was missing and making the service unable to start through systemd. The ssh service was compiled successfully but can't be set to start in the systemd. So I downloaded the package from http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-systemd-units-20180105.tar.bz2 , extracted the content and executed sudo make install-sshd.

After this I was able to start the service through sudo systemctl start sshd.service the status was active (running).

user3210456
  • 1
  • 3