evolix/evocheck
evolix
/
evocheck
21
2
Fork 2
Code Issues 48 Pull Requests 5 Releases 37 Wiki Activity

check_sshpermitrootno is broken #129

New Issue
Closed
opened 2020-12-07 11:27:45 +01:00 by bwaegeneire · 1 comment
bwaegeneire commented 2020-12-07 11:27:45 +01:00
Owner
Copy Link

The default value of PermitRootLogin is prohibit-password and check_sshpermitrootno search in the config file for line setting PermitRootLogin to something other than no. So when this options isn't expclicitly set in the config file, PermitRootLogin isn't set to no but the chekc doens't fail although it should have.

This issue was revealed in ticket 55058.

Note that fixing and deploying it may lead to a lot of failed checks if they have previosly been fixed as first done in that ticket.

The default value of `PermitRootLogin` is `prohibit-password` and check_sshpermitrootno search in the config file for line setting `PermitRootLogin` to something other than `no`. So when this options isn't expclicitly set in the config file, `PermitRootLogin` isn't set to `no` but the chekc doens't fail although it should have. This issue was revealed in ticket 55058. Note that fixing and deploying it may lead to a lot of failed checks if they have previosly been fixed as first done in that ticket.
bwaegeneire commented 2021-06-16 11:09:49 +02:00
Author
Owner
Copy Link

Even worse, we don't check the effective configuration. In the followig example evocheck approve the configuration, looking naively at the configuration file one could think PermitRootLogin is disabled since it's applied last, however looking at the effective configuration dumped by SSH we that's not the case!

# /usr/share/scripts/evocheck.sh --verbose --cron
# echo $?
0
# grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin prohibit-password
PermitRootLogin no
# sshd -T -C addr=0.0.0.0,user=root | grep permitroot
permitrootlogin without-password
Even worse, we don't check the effective configuration. In the followig example evocheck approve the configuration, looking naively at the configuration file one could think `PermitRootLogin` is disabled since it's applied last, however looking at the effective configuration dumped by SSH we that's not the case! ``` sh # /usr/share/scripts/evocheck.sh --verbose --cron # echo $? 0 # grep PermitRootLogin /etc/ssh/sshd_config PermitRootLogin prohibit-password PermitRootLogin no # sshd -T -C addr=0.0.0.0,user=root | grep permitroot permitrootlogin without-password ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
148
evoversions
autoif-bullseye
check_all_files_in_backup_dir
IS_NETWORKING_SERVICE
sources.list-support-option
IS_SYSTEMDUSERUNIT
minifirewall_systemd
check_compressed_mongodump
bullseye
IS_LXC_CONTAINER_RESOLV_CONF
is_mysql_upgrade
buster-support
no-check-valid-until
release-19.06
fix-mysqlnrpe
apachesymlink-verbose
debian
VERBOSE-ALERT5MINIFW
11-Check-for-sysadmins-home-size
linux/24.01
linux/23.11.1
linux/23.11
linux/23.10
linux/23.07
openbsd/23.06
linyx/23.04.01
linux/23.04
linux/23.03.01
linux/23.03
linux/23.02
openbsd/23.02
linux/23.0.2
openbsd/22.12
linux/22.12
openbsd/22.11
linux/22.11
openbsd22.10
linux/22.09
linux/22.08.1
linux/22.08
22.08
22.06.2
22.06.1
22.06
22.03
22.03.1
21.10.4
21.10.1
21.09
20.12
20.04.4
20.04.3
20.04.2
20.04.1
20.02.1
19.11.1
v19.11
19.10
19.09
v19.06
v19.04
debian/0.13.1-1
v0.13.1
debian/0.13-1
v0.13
debian/0.12-1
v0.12
debian/0.11-1
v0.11
Labels
Clear labels   
bug

Something is not working

  
bullseye

   
discussion

This need to be discussed

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
suggestion

Suggest to add/change something

  
wontfix

This won't be fixed

No Label
bug
bullseye
discussion
duplicate
enhancement
help wanted
invalid
question
suggestion
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: evolix/evocheck#129
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?