Monthly patch Layer7_API_PlatformUpdate breaks ssg sshd service
search cancel

Monthly patch Layer7_API_PlatformUpdate breaks ssg sshd service

book

Article ID: 366746

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

After application of the  Layer7_API_PlatformUpdate patch you could break sshd service with a invalid configuratoin, and the gateway server may not be able to start properly.

If you review the

/etc/ssh/sshd_config

And note:

Match user ssgconfig
        ForceCommand /etc/ssh/ssh_force_command_ssgconfig.sh
Match user ssgadmin
        ForceCommand /etc/ssh/ssh_force_command_ssgadmin.sh
UseDNS no

The UseDNS should be under a "Match" option.

Environment

ssg 10.x, ssg 11.x 

Cause

If there is no `UseDNS` directive already set in the config, Patch will simply append `UseDNS no` to the bottom of the file. 

With the default Match block in the script will not end properly

Test run the sshd will result

/etc/ssh/sshd_config line 154: Directive 'UseDns' is not allowed within a Match block

```

If try to reboot the server after the patch, now sshd fails to start back up.

Resolution

Add

Match all directive at the end of the configuration file,

Sample proper configuration below:

/etc/ssh/sshd_config 

Match user ssgconfig
        ForceCommand /etc/ssh/ssh_force_command_ssgconfig.sh
Match user ssgadmin
        ForceCommand /etc/ssh/ssh_force_command_ssgadmin.sh
Match all
UseDNS no