During adding of AADSSHLogin extension to a VM, following entry is added to /etc/ssh/sshd_config

Match User *@*,????????-????-????-????-????????????    # Added by aadsshlogin installer
AuthenticationMethods publickey
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/sbin/aad_certhandler %u %k
AuthorizedKeysCommandUser root

It causes following error in "sshd -T" command:

$ sudo sshd -T|grep passw
'Match User' in configuration but 'user' not in connection test specification.

When above lines are disabled, the command is working without error:

for example:

$ sudo sshd -T|grep passw
kerberosorlocalpasswd yes
passwordauthentication no
permitemptypasswords no

Is there any workaround that could be done to this change (introduced in sshd_config by Microsoft's AASSSHLogin package) to fix the problem?

CodePudding user response：

sudo sshd -T|grep passw Match User' in configuration but 'user' not in connection test specification.

The above error is marked as bug and can be fixed in the newer versions mentioned in the GitHub Issues Page but One of the workaround to fix this issue:

• To make it work on all OS's I apparently have to use this:

sshd -T -C user=root -C host=localhost -C addr=localhost

• Removing the match directive make it work. If I keep the match, adding -C is required. According to the man page, -C is supposed to be optional and it was indeed the case on older releases.

References:

1. Bug 2858] New: sshd -T requires -C when "Match" is used in sshd_config
2. Can't get sshd_config Match User to work
3. How To Tune your SSH Daemon Configuration on a Linux VPS