Solved sshd_config errors and ListenAddress

[big_girl]

Trying to use the ListenAddress parameter in my /etc/ssh/sshd_config, but there are some error messages and once setting it, I am locked out. I'm connecting to the box via ssh. I have no physical access.

Before setting ListenAddress, here's the output of

/usr/sbin/sshd -d -f /etc/ssh/sshd_config with the default /etc/ssh/sshd_config-

...
Bind to port 22 on :: failed: Address already in use.
debug1: Bind to port 22 on 0.0.0.0.
...
Bind to port 22 on 0.0.0.0 failed: Address already in use. 
Cannot bind any address.

(I omitted irrelevant verbose output from the cmd with ...).

When I set, e.g., ListenAddress 10.0.150.150-

/usr/sbin/sshd -d -f /etc/ssh/sshd_config

...
debug1: Bind to port 22 on 10.0.150.150
...
Bind to port 22 on 10.0.150.150 failed: Can't assign requested address.
Cannot bind any address.

...after setting the ListenAddress param, restarting sshd locks me out. I have no problems connecting before setting this param, despite the error message.

There was one time I set the ListenAddress param and ran /usr/sbin/sshd -d -f /etc/ssh/sshd_config and it actually did appear to work, returning-

...
debug1: Bind to port 22 on 10.0.150.150
...
Server listening on 10.0.150.150 port 22.

...but the /usr/sbin/sshd -d -f /etc/ssh/sshd_config actually hung after returning those lines, and re-running the cmd gave the previous error msg.

Here's output of netstat -ln -p tcp-

Active Internet connections
Proto Recv-Q Send-Q Local Address       Foreign Address          (state)
tcp4  0      36     10.0.50.50          [blocked out by me]      ESTABLISHED

sockstat -c and sockstat -l show nothing unexpected..

 

[coolhandluke]

Paste the output of ifconfig, please.

The output of netstat -l -p tcp (which you apparently edited) shows that the IP on the local machine is 10.0.50.50, while your configuration commands show 10.0.150.150.

Assuming that is correct, then the problem is that you are attempting to bind sshd to an IP address that doesn't exist on the machine -- which explains the error.

See also the {-t|-T} options to sshd to avoid locking yourself out.

 

[big_girl]

LOL thank you. Until I saw your response, I totally thought the ListenAddress parameter was what you'd use to limit the IP of connecting machines, not the machine running sshd.

 

[rigoletto@]

If you want to allow just one IP to access the ssh server better use the firewall for that. Anyway, there are others viable options you could use to control the access without being limited to one IP if you like.

Folllowing my sshd_config as example (the comments are not mine):

# Server basics
ListenAddress 127.0.0.1
ListenAddress 192.168.0.254
Port 22

# Only enable version 2
Protocol 2

# Don't enable DSA and ECDSA server authentication
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# If you have a recent OpenSSH client, disable weak ciphers and Message Authentication Code
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

# Disable root login. Users have to su to root
PermitRootLogin no

# Turn on Public key authentication
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# Disable .rhost and normal password authentication
HostbasedAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no

# Only allow users in the wheel group to login
AllowGroups wheel

# In those groups only allow the following users
# The @<domainname> is optional but replaces the
# older AllowHosts directive
AllowUsers privacychain

# Logging
SyslogFacility AUTH
LogLevel INFO

# Keep alive
ClientAliveInterval=300

# Enable internal SFTP Server
Subsystem sftp internal-sftp

 

[SirDice]

Until I saw your response, I totally thought the ListenAddress parameter was what you'd use to limit the IP of connecting machines, not the machine running sshd.

Indeed, it defines on what address(es) the sshd(8) daemon should listen. Limiting can be done using Match address for example but as lebarondemerde said, it's easier to do this on the firewall.

 

[big_girl]

Indeed, it defines on what address(es) the sshd(8) daemon should listen. Limiting can be done using Match address for example but as lebarondemerde said, it's easier to do this on the firewall.

I'm going to use

AllowUsers big_girl@10.0.150.150

..to accomplish what I'd intended originally/incorrectly with ListenAddress.

I've got the firewall configured for this, but I like multiple layers of security.