Adding FTP account changes SSH Config

It would appear that when you add an extra FTP account to a website, this puts rubbish into the SSH Config file at /etc/ssh/sshd_config and the OpenBSD SSH server fails to start (as reported by Cockpit).

Maybe peculiar to my system which is HestiaCP on Debian 12 but thought I ought to flag it up.

Fortunately, clearing the rubbish from the file solves the problem for the time being.

What exact rubbish is added?

1 Like

As the situation was important, I imagined that the Hestia Development Team would attempt to replicate this problem and provide a fix. Not So! We are now in May of 2024, some six months after I first reported the problem and it is still happening. It is a real nuisance but fortunately one can get around it by manually editing the SSH config. Which In my case use I do this from within Webmin or within Hestia, itself.

I am asked what “rubbish” is added.

… Hestia SFTP Chroot

… An example of the error is …
… AllowTcpForwarding| yes, webcliq_okeh

… Editing or reverting to this, solves the problem
AllowTcpForwarding yes

KeepAlive yes
Protocol 1,2
Port 99999
IgnoreRhosts yes
ChallengeResponseAuthentication no
IgnoreUserKnownHosts no
StrictModes no
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
GatewayPorts yes
AllowTcpForwarding yes

… This also is changed but does not stop the SSH service from restarting
Match User sftp_dummy99,admin

ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

For security reasons, some items have been amended.

My environment is Debian 12.

I am responsible for three Hestia servers running on Debian 12. It happens on all of them.

Please attend.

Sorry for apparent “Shouting”. It would appear that Blockquote and Hash does that!

The issue here is that you should provide what you get or as in this case, it is not reproducible in a fresh Hestia install so it’s impossible to know whether there is something to fix.

To be able to reproduce the issue, we will need the entire sshd_config because I can’t reproduce it in my system (Hestia 1.8.11 and Debian 12.5).

To avoid quoting/shouting problems, you can paste the contents of sshd_config, select all the lines and click on button </> and it will be formatted.

Anyway, when adding an ftp account, a new sftp jail is added and Hestia is looking for this line:

# Hestia SFTP Chroot

And expects a Match User directive in the next line and in your output, seems Hestia SFTP Chroot comment is not in the right place.

You can test it using this command and if it works as expected, you should see a list of the users like sftp_dummy99,admin.

grep -A1 "^# Hestia SFTP Chroot" /etc/ssh/sshd_config | sed -n 2p | sed 's/Match User //'

So, seems you or any other tool moved the line to the wrong place.

1 Like