usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

os_sshd_permit_root_login_configure code fails to run the validation script #217

New Issue
Closed
opened 2026-01-19 18:29:41 +00:00 by michael · 8 comments
michael commented 2026-01-19 18:29:41 +00:00
Owner
Copy Link

Originally created by @cipineda on GitHub.

Originally assigned to: @brodjieski on GitHub.

Summary

Running the os_sshd_permit_root_login_configure validation script fails to execute with error:
sshd: no hotkeys available -- exiting

Steps to reproduce

Open terminal and run:
/usr/sbin/sshd -T

Therefore, running the validation script for os_sshd_permit_root_login_configure fails:
/usr/sbin/sshd -T | /usr/bin/awk '/permitrootlogin/{print $2}'

error:
sshd: no hotkeys available -- exiting

If I run the code for this same item but using the code for Monterey on my Ventura systems, it works as expected:

/usr/bin/grep -c "^PermitRootLogin no" /etc/ssh/sshd_config
returns a value of "1"

Operating System version

Tested this on Ventura 13.0 22A380 and Ventura Beta 13.1 22C5033e

Intel or Apple Silicon

Silicon

What is the current bug behavior?

error:
sshd: no hotkeys available -- exiting

What is the expected correct behavior?

On computers that have the PermitRootLogin set to no, the script should detect it.

Relevant logs and/or screenshots

Output of checks

Possible fixes

Use the same code you have in the Monterey branch.

Originally created by @cipineda on GitHub. Originally assigned to: @brodjieski on GitHub. ### Summary Running the `os_sshd_permit_root_login_configure` validation script fails to execute with error: sshd: no hotkeys available -- exiting ### Steps to reproduce Open terminal and run: `/usr/sbin/sshd -T` Therefore, running the validation script for `os_sshd_permit_root_login_configure` fails: `/usr/sbin/sshd -T | /usr/bin/awk '/permitrootlogin/{print $2}'` error: sshd: no hotkeys available -- exiting If I run the code for this same item but using the code for Monterey on my Ventura systems, it works as expected: `/usr/bin/grep -c "^PermitRootLogin no" /etc/ssh/sshd_config` returns a value of "1" ### Operating System version Tested this on Ventura 13.0 22A380 and Ventura Beta 13.1 22C5033e ### Intel or Apple Silicon Silicon ### What is the current *bug* behavior? error: sshd: no hotkeys available -- exiting ### What is the expected *correct* behavior? On computers that have the PermitRootLogin set to no, the script should detect it. ### Relevant logs and/or screenshots ### Output of checks ### Possible fixes Use the same code you have in the Monterey branch.
michael commented 2026-01-19 18:29:41 +00:00
Author
Owner
Copy Link

@cipineda commented on GitHub:

yes autocorrect changed it, it is hostkeys, right ssh has not been enabled on my system, yet the script should account for this event.
Does not seem like a good idea to enable ssh just to disable and validate.
It seems like the way you handled it with Monterey worked a lot better.

@cipineda commented on GitHub: yes autocorrect changed it, it is hostkeys, right ssh has not been enabled on my system, yet the script should account for this event. Does not seem like a good idea to enable ssh just to disable and validate. It seems like the way you handled it with Monterey worked a lot better.
michael commented 2026-01-19 18:29:41 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Did you mean hostkeys not hostkeys?

It appears Apple's autocorrect wants to constantly change it to hotkeys.

This will appear if ssh has never been enabled.

@robertgendler commented on GitHub: Did you mean `hostkeys` not hostkeys? It appears Apple's autocorrect wants to constantly change it to hotkeys. This will appear if ssh has never been enabled.
michael commented 2026-01-19 18:29:41 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

The previous way we were handling it was grepping for a line in sshd_config which is messy because you can have multiple ways to set the same value if I remember right.

  • setting value
  • setting=value
  • setting = value

And then you have sshd_config.d/ folder which is really where things should be going. So just grepping isn't really a great option.

@robertgendler commented on GitHub: The previous way we were handling it was grepping for a line in sshd_config which is messy because you can have multiple ways to set the same value if I remember right. * setting value * setting=value * setting = value And then you have sshd_config.d/ folder which is really where things should be going. So just grepping isn't really a great option.
michael commented 2026-01-19 18:29:41 +00:00
Author
Owner
Copy Link

@K1jaff commented on GitHub:

I think this might be because you need to start the sudo /bin/launchctl enable system/com.openssh.sshd service once for the keys to be created, you can then sudo /bin/launchctl disable system/com.openssh.sshd and sudo /usr/sbin/sshd -T will return the the hostkeys

@K1jaff commented on GitHub: I think this might be because you need to start the `sudo /bin/launchctl enable system/com.openssh.sshd` service once for the keys to be created, you can then `sudo /bin/launchctl disable system/com.openssh.sshd` and `sudo /usr/sbin/sshd -T` will return the the `hostkeys`
michael commented 2026-01-19 18:29:41 +00:00
Author
Owner
Copy Link

@cipineda commented on GitHub:

right but the code is assuming that the service has been started at least once, and for our case, by default ssh is not enabled, until a remote support session is required.

@cipineda commented on GitHub: right but the code is assuming that the service has been started at least once, and for our case, by default ssh is not enabled, until a remote support session is required.
michael commented 2026-01-19 18:29:42 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

This is now resolved in 'ventura', 'monterey', and 'big_sur'. Issue #245 also was covering this.

@robertgendler commented on GitHub: This is now resolved in 'ventura', 'monterey', and 'big_sur'. Issue #245 also was covering this.
michael commented 2026-01-19 18:29:42 +00:00
Author
Owner
Copy Link

@cipineda commented on GitHub:

I tried enabling sshd, then disable and the issue persists:

cesar@AMR-20ZMQ6X8 ssh % sudo /bin/launchctl enable system/com.openssh.sshd
Password:
cesar@AMR-20ZMQ6X8 ssh % sudo /bin/launchctl disable system/com.openssh.sshd
Password:
cesar@AMR-20ZMQ6X8 ssh % sudo /usr/sbin/sshd -T | /usr/bin/awk '/permitrootlogin/{print $2}'
Password:
sshd: no hostkeys available -- exiting.

@cipineda commented on GitHub: I tried enabling sshd, then disable and the issue persists: cesar@AMR-20ZMQ6X8 ssh % sudo /bin/launchctl enable system/com.openssh.sshd Password: cesar@AMR-20ZMQ6X8 ssh % sudo /bin/launchctl disable system/com.openssh.sshd Password: cesar@AMR-20ZMQ6X8 ssh % sudo /usr/sbin/sshd -T | /usr/bin/awk '/permitrootlogin/{print $2}' Password: sshd: no hostkeys available -- exiting.
michael commented 2026-01-19 18:29:42 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

This is now resolved in 'ventura', 'monterey', and 'big_sur'. Issue #245 also was covering this.

@robertgendler commented on GitHub: This is now resolved in 'ventura', 'monterey', and 'big_sur'. Issue #245 also was covering this.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#217
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?