When managing SSH server configurations, a common scenario arises where you need to modify the PermitRootLogin parameter in sshd_config. The question of whether duplicate directives are allowed and how they behave is crucial for system administrators.
The OpenSSH server processes configuration files with first-match semantics. When encountering multiple instances of the same directive:
- The first occurrence is honored
- Subsequent duplicates are ignored
- No warning or error is generated
Simply appending a new PermitRootLogin directive won't work:
# This approach WON'T work as intended
echo 'PermitRootLogin without-password' >> /etc/ssh/sshd_config
The proper approach requires either:
# Option 1: Use sed for in-place modification
sed -i 's/^#*PermitRootLogin.*/PermitRootLogin without-password/' /etc/ssh/sshd_config
# Option 2: Use ansible for configuration management
- name: Ensure correct root login setting
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#*PermitRootLogin'
line: 'PermitRootLogin without-password'
Always validate configuration changes:
# Check for duplicate settings
grep -i 'PermitRootLogin' /etc/ssh/sshd_config
# Test configuration syntax
sshd -t
# Apply changes (varies by OS)
systemctl restart sshd
When modifying SSH configurations:
- Maintain existing comments for documentation
- Preserve original file permissions (600 root:root)
- Consider using configuration management tools for auditability
- Always test in non-production environments first
For more complex scenarios, consider:
# Using include directives (OpenSSH 7.3+)
Include /etc/ssh/sshd_config.d/*.conf
# Or using match blocks
Match User root
PermitRootLogin without-password
Remember that SSH configuration is sensitive and changes should be made with appropriate precautions to avoid lockout situations.
When working with SSH server configuration, a common question arises: what happens when you specify the same directive multiple times in sshd_config? The answer isn't immediately obvious from the documentation, but through testing and examining the OpenSSH source code, we can determine the behavior.
OpenSSH's configuration parser uses a first-match-wins approach. This means:
# Original setting PermitRootLogin yes # Later addition PermitRootLogin without-password
In this case, the first occurrence of PermitRootLogin will be used, and subsequent duplicates will be ignored. This behavior is consistent across most SSH server implementations.
The naive approach of simply appending a new value:
echo 'PermitRootLogin without-password' >> /etc/ssh/sshd_config
won't achieve the desired effect because:
- The original setting remains active
- The new setting is effectively ignored
- No warning or error is generated
For deployment scripts, you should either:
Option 1: Use sed to modify the existing line
sed -i 's/^PermitRootLogin.*/PermitRootLogin without-password/' /etc/ssh/sshd_config
Option 2: Use a configuration management tool
# Ansible example
- lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin without-password'
state: present
Always verify your changes:
# Check which setting is active sshd -T | grep permitrootlogin # Test configuration before restarting sshd -t
While most directives follow first-match behavior, some exceptions exist:
Matchblocks create scoped configurationsAcceptEnvandAllowUsersare cumulative- Some settings can be specified multiple times with different effects
When in doubt, consult the OpenSSH source code or test with sshd -T to see the effective configuration.
Improper modification of sshd_config can lead to:
- Unintended permission changes
- Lockout scenarios
- Security vulnerabilities if settings don't take effect as expected
Always test configuration changes in a non-production environment first.