SOLVED New cPanel update cause SSH issue

garconcn

Well-Known Member
Oct 29, 2009
158
13
68
I have following code in my ssh /etc/ssh/sshd_config file to allow our internal network to use password authentication.

Code:
Match address 192.168.1.0/24
    PasswordAuthentication yes
However, the new cpanel update added following line to the bottom of /etc/ssh/sshd_config file which caused SSHD down because the "Match address" has to be on the bottom of the sshd config file. I've manually moved the "Match address" part to the bottom to fix the issue. I am wondering how to prevent this issue?

Code:
DenyGroups      cpaneldemo cpanelsuspended
 
  • Like
Reactions: Yusuf Moola

cPanelJasonT

Level 2 Technical Analyst
Staff member
Oct 21, 2014
54
6
83
cPanel Access Level
Root Administrator
Hello,
Thanks for bringing this up. The update to cPanel today introduced a change to the ssh configuration with the interest of increasing security. If there are MatchBlock entries in the ssh configuration, the new DenyGroups directive will interrupt the MatchBlock directive, causing configuration syntax errors. e
When this is fixed, you will see case number CPANEL-13176 marked as fixed in the cPanel changelog at changelog.cpanel.net. I apologize for any inconvenience that this has caused.

In the meantime, as a workaround, removing the new directive, or editing /etc/ssh/sshd_config to allow the new directive to work will allow ssh to work normally again.
 
  • Like
Reactions: eva2000

cPanelJasonT

Level 2 Technical Analyst
Staff member
Oct 21, 2014
54
6
83
cPanel Access Level
Root Administrator
Hello,
If you are unable to log into SSH but WHM is accessible, there is a script that will provide a minimal, default configuration of SSH to allow you to log in again. To use this script, you append the following to the url for WHM:

Code:
/scripts2/doautofixer?autofix=safesshrestart
For example, if your server's address is 1.2.3.4, this url will provide a temporary ssh instance that will allow login:

Code:
https://1.2.3.4:2087/scripts2/doautofixer?autofix=safesshrestart
Take note of the output from running that script, as it may restart ssh on a port other than 22 if somehow the previous ssh instance is still running.
 
Last edited by a moderator:
  • Like
Reactions: eva2000

WorkinOnIt

Well-Known Member
Aug 3, 2016
212
30
28
UK
cPanel Access Level
Root Administrator
This topic is not resolved!

Yes - I also just had to deal with this on 4 servers. We also use the MatchBlock directive to limit SSH logins internally.

The DenyGroups directive that was appended to the bottom of the sshd_config has prevented us from being able to access the server via ssh.

What is this ? DenyGroups cpaneldemo cpanelsuspended

Is it needed ? Is there any documentation on this new directive?

We had to login via datacentre local machine (console) and used VI to edit sshd_config to fix the issue.

However, it would be great if cPanel could enable the use of the MatchBlock not in the footer - in case of future additional new directives being added during updates - or maybe it's an openssh issue?
 

cPanelJackson

Release Manager
Staff member
Aug 12, 2010
42
11
133
cPanel Access Level
Root Administrator
This topic is not resolved!

Yes - I also just had to deal with this on 4 servers. We also use the MatchBlock directive to limit SSH logins internally.

The DenyGroups directive that was appended to the bottom of the sshd_config has prevented us from being able to access the server via ssh.

What is this ? DenyGroups cpaneldemo cpanelsuspended

Is it needed ? Is there any documentation on this new directive?

We had to login via datacentre local machine (console) and used VI to edit sshd_config to fix the issue.

However, it would be great if cPanel could enable the use of the MatchBlock not in the footer - in case of future additional new directives being added during updates - or maybe it's an openssh issue?
Hi there,

The DenyGroups line is necessary to prevent potential abuse for suspended and demo accounts. We currently anticipate to publish an autofixer to remediate any broken ssh configurations by moving this line above any Match blocks in sshd_config. In the future, modifications to the sshd_config will always occur before any Match directives to prevent these sorts of issues.

DenyGroups cpaneldemo cpanelsuspended can also be manually moved above any Match blocks if you are currently experiencing this issue.
 
Jan 2, 2015
8
0
1
cPanel Access Level
Root Administrator
We also got "hit" by this problem. I was lucky enough to get a KVM running or I would have to drive 4 hours to get to the physical console.

Thanks for the WHM trick, it may save us also :)

For "DenyGroups cpaneldemo cpanelsuspended", I have commented out the line.

Could you please let us know if a fix for it will be released automatically or should I manually fix it?

A solution could be a "Match all" between the "Match Group" and "DenyGroups cpaneldemo cpanelsuspended"?
 
Jan 2, 2015
8
0
1
cPanel Access Level
Root Administrator
We also got "hit" by this problem. I was lucky enough to get a KVM running or I would have to drive 4 hours to get to the physical console.

Thanks for the WHM trick, it may save us also :)

For "DenyGroups cpaneldemo cpanelsuspended", I have commented out the line.

Could you please let us know if a fix for it will be released automatically or should I manually fix it?

A solution could be a "Match all" between the "Match Group" and "DenyGroups cpaneldemo cpanelsuspended"?
Just saw your previous answer... Thanks!

I just move the "DenyGroups..." before the "Match Group..." and restarted sshd.
 

cPanelJasonT

Level 2 Technical Analyst
Staff member
Oct 21, 2014
54
6
83
cPanel Access Level
Root Administrator
Hello,
Thank you for the feedback. These updates are part of the TSR-2017-003 security update. The information about these updates is scheduled to be released tomorrow. More about this update is available here:

cPanel TSR-2017-0003 Announcement | cPanel Newsroom

Typically with TSR updates, they are released with an announcement, then the disclosure is released after a time period to allow vulnerabilities to be fixed before they are explained.

More information about this will be available when the disclosure is released tomorrow.

Also, an autofixer script has been created to work around this, which has just been published.

To fix this, one can either run the cPanel update or go to
Code:
 https://1.2.3.4:2087/scripts2/doautofixer?autofix=sshd_denygroups
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
208
cPanel Access Level
DataCenter Provider
why not insert the Denygroup automatically above any detected Match directives (1st instance found for Match) ?
As part of case CPANEL-13176 (to be released in v66+), the security team responsible for the original update is re-working the code that manages the ssh configuration to ensure a broad range of sshd_config customizations can be handled.

In the mean time this was resolved via the auto-fix that was released as part of CPANEL-13178