I pushed a check script, this is option (b) from my previous comment.
Unfortunately sshd -t doesn't list all files that might have problems. Looks like it checks the main config file at /etc/ssh/sshd_config, then processes the include directive, and then just highlights one of the included files.
For example, here sshd_config is not even listed, because I added the bad option at the end:
root@j-sshd-dev:~# echo "KerberosUniqueCCache no" >> /etc/ssh/sshd_config
root@j-sshd-dev:~# echo "KerberosUniqueCCache no" >> /etc/ssh/sshd_config.d/gssapi.conf
root@j-sshd-dev:~# echo "KerberosUniqueCCache no" >> /etc/ssh/sshd_config.d/gssapi-2.conf
root@j-sshd-dev:~# sshd -t
/etc/ssh/sshd_config.d/gssapi-2.conf: line 1: Bad configuration option: KerberosUniqueCCache
/etc/ssh/sshd_config.d/gssapi-2.conf: terminating, 1 bad configuration options
If I add it to the top, befire sshd_config includes sshd_config.d/*.conf, then it's listed too:
root@j-sshd-dev:~# vi /etc/ssh/sshd_config
root@j-sshd-dev:~# sshd -t
/etc/ssh/sshd_config: line 1: Bad configuration option: KerberosUniqueCCache
/etc/ssh/sshd_config.d/gssapi-2.conf: line 1: Bad configuration option: KerberosUniqueCCache
/etc/ssh/sshd_config.d/gssapi-2.conf: terminating, 1 bad configuration options
But gssapi.conf is not listed.
If I remove gssapi-2.conf, then gssapi.conf is listed:
root@j-sshd-dev:~# rm /etc/ssh/sshd_config.d/gssapi-2.conf
root@j-sshd-dev:~# sshd -t
/etc/ssh/sshd_config: line 1: Bad configuration option: KerberosUniqueCCache
/etc/ssh/sshd_config.d/gssapi.conf: line 1: Bad configuration option: KerberosUniqueCCache
/etc/ssh/sshd_config.d/gssapi.conf: terminating, 1 bad configuration options
Anyway, in this state, it's able to clean the config up:
# systemctl restart ssh
logs:
May 26 19:57:08 j-sshd-dev systemd[1]: Starting OpenBSD Secure Shell server...
May 26 19:57:08 j-sshd-dev sshd-config-check[50945]: WARNING: Disabling KerberosUniqueCCache option in /etc/ssh/sshd_config
May 26 19:57:08 j-sshd-dev sshd-config-check[50945]: WARNING: Disabling KerberosUniqueCCache option in /etc/ssh/sshd_config.d/gssapi.conf
May 26 19:57:08 j-sshd-dev sshd-config-check[50945]: Testing again
May 26 19:57:09 j-sshd-dev sshd[50960]: Server listening on 0.0.0.0 port 22.
May 26 19:57:09 j-sshd-dev sshd[50960]: Server listening on :: port 22.
May 26 19:57:09 j-sshd-dev systemd[1]: Started OpenBSD Secure Shell server.
I pushed a check script, this is option (b) from my previous comment.
Unfortunately sshd -t doesn't list all files that might have problems. Looks like it checks the main config file at /etc/ssh/ sshd_config, then processes the include directive, and then just highlights one of the included files.
For example, here sshd_config is not even listed, because I added the bad option at the end: CCache no" >> /etc/ssh/ sshd_config CCache no" >> /etc/ssh/ sshd_config. d/gssapi. conf CCache no" >> /etc/ssh/ sshd_config. d/gssapi- 2.conf
root@j-sshd-dev:~# echo "KerberosUnique
root@j-sshd-dev:~# echo "KerberosUnique
root@j-sshd-dev:~# echo "KerberosUnique
root@j-sshd-dev:~# sshd -t sshd_config. d/gssapi- 2.conf: line 1: Bad configuration option: KerberosUniqueC Cache sshd_config. d/gssapi- 2.conf: terminating, 1 bad configuration options
/etc/ssh/
/etc/ssh/
If I add it to the top, befire sshd_config includes sshd_config. d/*.conf, then it's listed too:
root@j-sshd-dev:~# vi /etc/ssh/ sshd_config sshd_config: line 1: Bad configuration option: KerberosUniqueC Cache sshd_config. d/gssapi- 2.conf: line 1: Bad configuration option: KerberosUniqueC Cache sshd_config. d/gssapi- 2.conf: terminating, 1 bad configuration options
root@j-sshd-dev:~# sshd -t
/etc/ssh/
/etc/ssh/
/etc/ssh/
But gssapi.conf is not listed.
If I remove gssapi-2.conf, then gssapi.conf is listed:
root@j-sshd-dev:~# rm /etc/ssh/ sshd_config. d/gssapi- 2.conf sshd_config: line 1: Bad configuration option: KerberosUniqueC Cache sshd_config. d/gssapi. conf: line 1: Bad configuration option: KerberosUniqueC Cache sshd_config. d/gssapi. conf: terminating, 1 bad configuration options
root@j-sshd-dev:~# sshd -t
/etc/ssh/
/etc/ssh/
/etc/ssh/
Anyway, in this state, it's able to clean the config up:
# systemctl restart ssh
logs: check[50945] : WARNING: Disabling KerberosUniqueC Cache option in /etc/ssh/ sshd_config check[50945] : WARNING: Disabling KerberosUniqueC Cache option in /etc/ssh/ sshd_config. d/gssapi. conf check[50945] : Testing again
May 26 19:57:08 j-sshd-dev systemd[1]: Starting OpenBSD Secure Shell server...
May 26 19:57:08 j-sshd-dev sshd-config-
May 26 19:57:08 j-sshd-dev sshd-config-
May 26 19:57:08 j-sshd-dev sshd-config-
May 26 19:57:09 j-sshd-dev sshd[50960]: Server listening on 0.0.0.0 port 22.
May 26 19:57:09 j-sshd-dev sshd[50960]: Server listening on :: port 22.
May 26 19:57:09 j-sshd-dev systemd[1]: Started OpenBSD Secure Shell server.