-
Notifications
You must be signed in to change notification settings - Fork 2
SSH
Egbert edited this page Apr 11, 2022
·
4 revisions
The following sections are some of the outputs of SSH-related script files.
An example of the CISecurity-like check against OpenSSH 9.0p1 using 490-net-ssh/499-net-ssh-config-check.sh
script.
$ cd work
$ gh repo clone egberts/easy-admin
$ cd easy-admin/490-net-ssh
$ sudo ./499-net-ssh-config-check.sh -b /
[sudo] password for johndoe:
Checking security of OpenSSH configs
Checking against BUILDROOT=/ directory ...
WARNING: BUILDROOT is targeting current '/' root file system
SSHD (Server) Config File(s) Layout: split-file
Reading in //etc/ssh/sshd_config ...
Content of /etc/ssh/sshd_config Syntax OK.
SSH (Client) Config File(s) Layout: split-file
Reading in //etc/ssh/ssh_config ...
Content of /etc/ssh/ssh_config Syntax OK.
Version: OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k 25 Mar 2021
'sshd' $HOME: /run/sshd
Binary Path:
Server : /usr/sbin/sshd
Client : /usr/bin/ssh
Shell : /usr/sbin/nologin
nologin is BSD, but various Linux distros have broken nologin away
from the BSD shadow package.
There are five nologin variants out there... we probably need the ones
that properly logs to LOG_CONSOLE|LOG_AUTH|LOG_CRIT (which is BSD shadow)
to comply with basic auditing/CISecurity and record all SSH activities
It is tough to check the auditing aspect of an unknown nologin w/o source code
and the only other way is by actual demonstration and observation in audit logs.
Auth Methods : password,publickey password publickey
WARN: Authentication Method 'password,publickey' found weak
INFO: Switch the keyvalues around to 'publickey,password'
WARN: Authentication Method 'password' came before 'publickey'
INFO: Switch the keyvalues around to 'publickey password'
Group File Permissions Policy
SSHD daemon : sshd
Inbound SSH : ssh
Outbound SSH : ssh
WARN: No security granularity between inbound and outbound SSH connection.
Inbound Policy
Deny Users : root
Allow Users :
Deny Groups : root
Allow Groups : ssh
Server config files: //etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
Server hostkey files: /etc/ssh/ssh_host_ed25519_key
WARN: remove unused hostkey files
INFO: refer to HostKey in sshd_config, et. al.
INFO: Some files are: /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key
Client config files: //etc/ssh/ssh_config /etc/ssh/ssh_config.d/*.conf
SELinux sshd_var_run_t group:
PID file: /run/sshd/sshd.pid
Ubuntu 20+, CISecurity, or Maximum Security settings? (u/c/M): M
Maximum security settings...
755 root:root (EXPECTED_SSH_SHELL_FILESPEC) /usr/sbin/nologin: ok.
750 root:ssh (SSH_BIN_FILESPEC) /usr/bin/ssh: ok.
...skipping unused /usr/libexec/nm-ssh-service (NM_SSH_SERVICE).
755 root:root (SSHD_HOME_DIRSPEC) /run/sshd: ERROR
...Expecting '775' file permission
...Expecting 'sshd' group name
755 root:root (SSHD_BIN_FILESPEC) /usr/sbin/sshd: ERROR
...Expecting '750' file permission
...Expecting 'sshd' group name
640 root:sshd (this_config_file) //etc/ssh/sshd_config: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/100-daemon-logging.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/111-daemon-network.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/112-daemon-pidfile.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/113-daemon-maxstartups.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/114-daemon-ip-addr-families.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/115-daemon-tcpkeepalive.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/119-daemon-rdomain.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/201-daemon-login-grace.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/220-daemon-subversion.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/223-daemon-banner-debian.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/260-login-auth-keyagent.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/300-protocol-kex-algos.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/302-protocol-ciphers.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/304-protocol-macs.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/310-protocol-compression.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/324-protocol-rekey.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/336-protocol-hostkey.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/337-protocol-host-algos.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/338-protocol-host-certs.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/339-protocol-sec-key-provider.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/400-protocol-dns.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/410-protocol-auth-methods.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/412-protocol-auth-max-tries.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/422-protocol-password-empty-permit.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/424-protocol-auth-type-password.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/426-protocol-key-fingerprint.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/430-auth-pubkey.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/432-auth-pubkey-types.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/434-auth-pubkey-cas-algos.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/435-auth-pubkey-revoked.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/436-auth-pubkey-auth-file.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/438-auth-pubkey-ca-keys.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/440-auth-challenge.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/440-login-strict-modes.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/442-auth-hostbased.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/443-auth-hostbased-opts.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/450-auth-krb5-gss-api.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/500-session.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/501-session-client-alive.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/510-login-pam.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/512-permit-root-login.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/514-permit-user-environment.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/520-login-chroot-dir.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/530-login-users-deny.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/540-login-users-allow.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/550-login-groups-deny.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/570-login-groups-allow.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/580-login-auth-cmds-princ.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/590-login-auth-cmds-key.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/600-forwarding-disabled.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/700-tunnel-permit.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/750-allow-tcp-forwarding.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/811-pty-x11-support.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/853-pty-allowed.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/854-pty-lastlogin.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/855-pty-banner.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/855-pty-printmotd.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/856-pty-forced-command.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/857-pty-shell-env.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/858-pty-max-sessions.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/859-pty-ip-qos.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/900-pipe.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/902-expose-auth-info.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/910-ctrl-gateway-ports.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/912-stream-local-bind-unlink.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/999-match-template.conf: ok.
640 root:ssh (this_config_file) //etc/ssh/ssh_config: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/010-conf-old-ignore.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/011-include.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/200-canonicalize-hostname.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/20-hostname.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/210-canonicalize-max-dots.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/220-canonical-domains.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/221-canonicalize-fallback-local.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/222-canonicalize-permitted-cnames.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/224-address-family.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/225-ip-port.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/230-proxy-command.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/232-clear-all-forwardings.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/250-control-persist.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/250-proxy.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/260-protocol-hostkeys-update.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/270-connection-attempts.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/280-logging.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/280-remote-command.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/300-user-identity-agent.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/310-path-control.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/320-connect-timeout.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/330-tcp-keepalive.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/340-bind-address.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/350-bind-interface.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/360-server-alive-interval.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/361-server-alive-count-max.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/370-pkcs11-provier.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/380-batch-mode.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/390-identity-files.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/400-identity-agent.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/410-stream-local-bind-mask.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/410-stream-local-bind-unlink.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/440-knownhosts-global-file.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/442-knownhosts-check-host-ip.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/443-knownhosts-hashed.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/450-knownhosts-user.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/500-kex-ciphers.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/510-kex-algorithms.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/530-compression.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/550-macs.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/560-hostkeys-algos.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/600-session-rekey-limit.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/650-knownhosts-hostkey-check-strict.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/660-knownhosts-hostkey-revoked.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/670-hostkey-verify-dns.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/680-hostkey-alias.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/690-auth-no-host-for-localhost.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/700-auth-preferred.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/710-auth-password.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/740-auth-interactive-kbd.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/741-auth-interactive-kbd-pam.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/750-certificate-file.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/760-auth-pubkey.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/761-auth-pubkey-key-types.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/762-auth-pubkey-add-to-agent.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/763-auth-pubkey-identities-only.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/770-auth-hostbased.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/771-auth-hostbased-key-type.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/772-auth-hostbased-keysign.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/773-auth-hostbased-ca-sig-algos.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/780-auth-challenge.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/790-auth-kerberos-krb5.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/791-auth-kerberos-delegate.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/801-session-tty-request.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/805-session-login-max.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/806-session-fingerprint-hash.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/807-session-hostkey-visual.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/810-session-control-master.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/812-session-tunnel-device.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/814-session-local-forward.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/820-forward-gateway-ports.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/821-forward-remote.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/822-forward-dynamic.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/823-forward-exit-on-failure.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/824-tunnel.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/840-session-local-cmd-permit.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/841-session-local-cmd.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/842-session-forward-agent.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/910-ipqos-delay-thrghpt.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/950-x11.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/980-escape-char.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/980-shell-env.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/991-match-host-onion.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/992-match-host-egbert.net.vps.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/993-match-host-local.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/994-match-host-github.com.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/995-match-host-sandbay.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/996-match-host-arca.conf: ok.
755 root:root (VAR_RUN_SSHD_DIRSPEC) /run/sshd: ERROR
...Expecting 'sshd' group name
...skipping unused /run/sshd/sshd.pid (pidfile_filespec).
WARN: PID file not found; make sure it is in the correct 'sshd' subdir.
Permission errors: 5
Total files : 163
File missing : 2
Skipped files : 3
SSH Server script generates all the script settings needed for most flexible SSH connections by ssh
tool.
All settings are located under build/
subdirectory. (This can be changed using -b /
for direct install).
$ sudo ./490-net-ssh-server.sh
[sudo] password for johndoe:
Setting up OpenSSH daemon configuration file(s)
This host has no direct root login (only sudo)
Creating build/etc/ssh/sshd_config ...
/home/johndoe/work/github/easy-admin/490-net-ssh /home/johndoe/work/github/easy-admin/490-net-ssh
/home/johndoe/work/github/easy-admin/490-net-ssh
Checking sshd_config syntax ...
build/etc/ssh/sshd_config passes syntax-checker.
User root cannot access this SSH server here.
NOTICE: You probably want to re-run this script but as non-root.
SSH key group ID found: ssh_keys in /etc/group
Done.
SSH Client script generates all the script settings needed for most flexible SSH connections by ssh
tool.
All settings are located under build/
subdirectory. (This can be changed using -b /
for direct install).
$ bash 491-net-ssh-client.sh
Creating SSH client configuration files...
Check the OpenSSH client for appropriate file permission settings
Creating subdirectories to build ...
Creating file permission script in build/file-settings-openssh-client.sh ...
Creating build/ssh_config.build-test-only ...
Creating build/etc/ssh/ssh_config ...
Checking build/etc/ssh/ssh_config for any syntax error ...
Passes syntax checks.
User johndoe has access to this hosts SSH server
User johndoe has access to this hosts SSH server
Only these users can use 'ssh' tools: 'johndoe
sshd
sshd,johndoe'
If you have non-root apps that also uses '/usr/bin/ssh', then add that user
to the 'ssh' supplemental group; run:
usermod -a -G ssh <username>
Done.