Joey Armstrong
2017-03-25 18:56:35 UTC
Hi,
I was running rkhunter earlier and had a persistent warning reported about legacy ssh protocol in use:
Performing system configuration file checks
Checking if SSH protocol v1 is allowed [ Warning ]
The system does not allow v1 so I started poking at the test and found that ssh config values were retrieved from a single config file (sshd_conf). [fyi] The linux distribution that rk was invoked on uses a default open-ss* package installation that has vars split between two independent files -- sshd_conf and ssh_conf:
% egrep 'Proto|Root' /etc/ssh/*
/etc/ssh/ssh_config: Protocol 2
/etc/ssh/sshd_config: PermitRootLogin no
Exclusively searching for "Protocol" in sshd_conf confused the test and will always report a warning when mutliple config files are in use.
The patch below was able to correct the problem on my system and might be fodder for a future release.
Thanks -- Joey
--- rkhunter 2014-03-12 16:54:55.000000000 -0400
+++ rkhunter.mod 2017-03-25 13:51:45.551706944 -0400
@@ -16264,7 +16264,8 @@
# First find out where the SSH configuration file is located.
#
- SSH_CONFIG_FILE=""
+ SSH_CONFIG_FILE="" # ALLOW_SSH_PROT_V1
+ SSHD_CONFIG_FILE="" # PermitRootLogin
if [ -n "${SSH_CONFIG_DIR}" ]; then
RKHTMPVAR="${SSH_CONFIG_DIR}"
@@ -16274,15 +16275,20 @@
for DIR in ${RKHTMPVAR}; do
if [ -f "${DIR}/sshd_config" ]; then
- SSH_CONFIG_FILE="${DIR}/sshd_config"
+ SSHD_CONFIG_FILE="${DIR}/sshd_config"
+ SSH_CONFIG_FILE="${SSHD_CONFIG_FILE}"
+ grep -i '^[ ]*Protocol[ =]' "${DIR}/ssh_config" 2>/dev/null >/dev/null
+ if [ $? -eq 0 ]; then
+ SSH_CONFIG_FILE="${DIR}/ssh_config"
+ fi
break
fi
done
- if [ -n "${SSH_CONFIG_FILE}" ]; then
+ if [ -n "${SSHD_CONFIG_FILE}" ]; then
display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE_SSH
- display --to LOG --type INFO SYSTEM_CONFIGS_FILE_FOUND 'an' 'SSH' "${SSH_CONFIG_FILE}"
+ display --to LOG --type INFO SYSTEM_CONFIGS_FILE_FOUND 'an' 'SSH' "${SSHD_CONFIG_FILE}"
display --to LOG --type INFO CONFIG_SSH_ROOT "${ALLOW_SSH_ROOT_USER}"
display --to LOG --type INFO CONFIG_SSH_PROTV1 $ALLOW_SSH_PROT_V1
@@ -16294,7 +16300,7 @@
# First we check for allowed root access.
#
- RKHTMPVAR=`grep -i '^[ ]*PermitRootLogin[ =]' "${SSH_CONFIG_FILE}" | tail ${TAIL_OPT}1`
+ RKHTMPVAR=`grep -i '^[ ]*PermitRootLogin[ =]' "${SSHD_CONFIG_FILE}" | tail ${TAIL_OPT}1`
if [ -n "${RKHTMPVAR}" ]; then
#
I was running rkhunter earlier and had a persistent warning reported about legacy ssh protocol in use:
Performing system configuration file checks
Checking if SSH protocol v1 is allowed [ Warning ]
The system does not allow v1 so I started poking at the test and found that ssh config values were retrieved from a single config file (sshd_conf). [fyi] The linux distribution that rk was invoked on uses a default open-ss* package installation that has vars split between two independent files -- sshd_conf and ssh_conf:
% egrep 'Proto|Root' /etc/ssh/*
/etc/ssh/ssh_config: Protocol 2
/etc/ssh/sshd_config: PermitRootLogin no
Exclusively searching for "Protocol" in sshd_conf confused the test and will always report a warning when mutliple config files are in use.
The patch below was able to correct the problem on my system and might be fodder for a future release.
Thanks -- Joey
--- rkhunter 2014-03-12 16:54:55.000000000 -0400
+++ rkhunter.mod 2017-03-25 13:51:45.551706944 -0400
@@ -16264,7 +16264,8 @@
# First find out where the SSH configuration file is located.
#
- SSH_CONFIG_FILE=""
+ SSH_CONFIG_FILE="" # ALLOW_SSH_PROT_V1
+ SSHD_CONFIG_FILE="" # PermitRootLogin
if [ -n "${SSH_CONFIG_DIR}" ]; then
RKHTMPVAR="${SSH_CONFIG_DIR}"
@@ -16274,15 +16275,20 @@
for DIR in ${RKHTMPVAR}; do
if [ -f "${DIR}/sshd_config" ]; then
- SSH_CONFIG_FILE="${DIR}/sshd_config"
+ SSHD_CONFIG_FILE="${DIR}/sshd_config"
+ SSH_CONFIG_FILE="${SSHD_CONFIG_FILE}"
+ grep -i '^[ ]*Protocol[ =]' "${DIR}/ssh_config" 2>/dev/null >/dev/null
+ if [ $? -eq 0 ]; then
+ SSH_CONFIG_FILE="${DIR}/ssh_config"
+ fi
break
fi
done
- if [ -n "${SSH_CONFIG_FILE}" ]; then
+ if [ -n "${SSHD_CONFIG_FILE}" ]; then
display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE_SSH
- display --to LOG --type INFO SYSTEM_CONFIGS_FILE_FOUND 'an' 'SSH' "${SSH_CONFIG_FILE}"
+ display --to LOG --type INFO SYSTEM_CONFIGS_FILE_FOUND 'an' 'SSH' "${SSHD_CONFIG_FILE}"
display --to LOG --type INFO CONFIG_SSH_ROOT "${ALLOW_SSH_ROOT_USER}"
display --to LOG --type INFO CONFIG_SSH_PROTV1 $ALLOW_SSH_PROT_V1
@@ -16294,7 +16300,7 @@
# First we check for allowed root access.
#
- RKHTMPVAR=`grep -i '^[ ]*PermitRootLogin[ =]' "${SSH_CONFIG_FILE}" | tail ${TAIL_OPT}1`
+ RKHTMPVAR=`grep -i '^[ ]*PermitRootLogin[ =]' "${SSHD_CONFIG_FILE}" | tail ${TAIL_OPT}1`
if [ -n "${RKHTMPVAR}" ]; then
#