evolix/evocheck
evolix/evocheck
21
2
Fork 2
Code Issues 48 Pull requests 5 Releases 37 Wiki Activity

Merge pull request 'sshpermitrootno: Use effective configuration.' (#135) from fix-129 into master

Browse source 
Reviewed-on: #135
This commit is contained in:
Jérémy Lecour 2022-06-03 11:15:45 +02:00
parent 9ad34bd485 e38aa5636f
commit 0c461689d1
1 changed files with 13 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
evocheck.sh
View file

@ -1217,14 +1217,20 @@ check_usrsharescripts() {
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected" test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
} }
check_sshpermitrootno() { check_sshpermitrootno() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then sshd_args="-C addr=,user=,host=,laddr=,lport=0"
if grep -q "^PermitRoot" /etc/ssh/sshd_config; then if is_debian_jessie || is_debian_stretch; then
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \ # Noop, we'll use the default $sshd_args
|| failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no" :
fi elif is_debian_buster; then
sshd_args="${sshd_args},rdomain="
else else
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \ # NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
|| failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no" # -T doesn't require the additional -C.
sshd_args=
fi
# XXX: We want parameter expension here
if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then
failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
fi fi
} }
check_evomaintenanceusers() { check_evomaintenanceusers() {