SSH PermitRootLogin is fragile and incomplete
Brought to you by:
dogsbody,
dogsbodymark
Menu
▾
▴
#151 SSH PermitRootLogin is fragile and incomplete
Hi.
AFAIU, rkhunter does roughly the following to check for the value of PermitRootLogin.
Goes through SSH_CONFIG_DIR or /etc /etc/ssh /usr/local/etc /usr/local/etc/ssh and looking for sshd_config, taking the first found.
Case-insensitively greps for "PermitRootLogin", only looking at the first result, doing some further regexp playing to get the value out of that line.
1) There's no guarantee the file is called sshd_config and that seems not to be configurable.
2) The fallback with going through that dirs and testing only the first found match is a bit fragile IMHO. The fil could exist in multiple locations, but the one actually used could be form a later dir, which rkhunter woulnt' check anymore.
3) The parsing is IMHO a bit fragile. Nothing prevent's upstream from changing the syntax and semantics, especially that the "first" assignment wins could be easily changed.
Newer sshd versions have the -T option, which can be used to give a standardised output of the effective configuration. That should be used, I'd say. (However, see later)
4) sshd_config syntax allows values to be enclosed in double quotes - AFAIK the parser doesn't handle this
most important an security relevant is IMHO:
5) It's not Match block aware.
The Match blocks lead to different effective values (at runtime) for PermitRootLogin, depending on the match criteria.
An sshd_config like:
PermitRootLogin no
Match User *
PermitRootLogin yes
would already trick rkhunter into believing it's "no", which it effectively is "yes".
Unfortunately here this is where the nice -T fails... :-( ... while there is -C to, it cannot be used to "select" a certain match block (which we could parse for), but only to give the criteria (and it's difficult to set them up so that all Match blocks would get matched once).
So in the end I'd say we should grep for something like:
1) grep -i '^[[:space:]]PermitRootLogin[[:space:]][[:space:]]' "$SSHD_CONFIG"
(not dropping any lines)
2) remove the directive:
sed 's/^[[:space:]]PermitRootLogin[[:space:]][[:space:]]//'
3) remove double quotes must be done in an extra step, as we MUST only remove " if theres one at the beginning AND the end:
sed 's/"(.*)"/\1/'
4) sort -u the output
If now multiple lines are left, it means we have different values either in Matchblocks or outside of match blocks.
For both cases I'd say the rkhunter test should give a warning.
If only one line is left, I'd continue to compare it to the expected value set in rkhunter.conf.
Cheers,
Chris
6) Oh and it seems current regexps assume one could write directive=value, but I don't think
this is possible in the config syntax, or is it?
7) More recent versions of sshd support an "Include" directive that allows moving customizations into separate file(s) in a separate directory (likely "sshd_config.d"), which can be useful to preserve those customizations if system updates want to update the main sshd_config file. I don't think rkhunter understands such includes at all - it only considers the main sshd_config file.
8) (maybe OK) I think current versions of sshd have a default "PermitRootLogin prohibit-password", which would probably be similar to "no" unless someone has unexpectedly added an authorized_keys file to root. Maybe (not sure - could be debatable) rkhunter should consider this newer default to be good enough?
rkhunter on the develop branch uses
sshd -Tto list the configuration settings, including whatever is set in files within sshd_config.d .