Can I overwrite a setting within sshd_config with a duplicate setting

I am implementing a basic deploy script and for sshd_config the only change that I need to make is PermitRootLogin yes to PermitRootLogin without-password. I have read through the docs and they make no mention of this but that is not to say it is impossible.

Can I specify a second PermitRootLogin? I.e. echo 'PermitRootLogin without-password' >> /etc/ssh/sshd_config

If so, is this safe?

Updates based on comments:

1) I am aware that I could parse the file and change the variable. My question still remains though.


No.

You could simply test this by adding the line and checking whether you can log in. Then you could comment out the first occurrence, restart the service and test again.

Reason: OpenSSH servconf.c has function

  • process_server_config_line() on lines 1200-2171 (for 7.9p1)
  • refactored to call process_server_config_line_depth() on lines 1260-2371 (for 8.3p1).

All global directives are processed only at startup and global directives are only processed once. The setting will stay as it was on the first occurrence.

On the other hand using the same directive twice may lead to misunderstanding.

Please reconsider parsing the file. You could also replace the whole file, if applicable.


No, most settings will only use the first value it comes across; the X11Forwarding setting is an easy one to test this with. That being said, you might be able to take advantage of the per-user override settings to allow the same thing. These are normally tagged onto the bottom and so would work better with your goal of appending.

That being said, as the others mentioned sed would be a much cleaner solution.

sed -i 's/PermitRootLogin yes/PermitRootLogin without-password/g' /etc/ssh/sshd_config

Amending previous answers. As of now, the manual for sshd_config file starts with "For each keyword, the first obtained value will be used". Thus, as others have already written, duplicates are ignored.

It is possible to use a Match block to override global settings based on a condition. The PermitRootLogin is among the keywords allowed in a Match block.

(I came to this question as the default configuration of sshd in the OS I am using was changed to use an Include directive + glob pattern, moving vendor defaults into a separate file. Thus it is important to know how sshd handles the duplicate keywords, so that I could override the defaults.)