-
Notifications
You must be signed in to change notification settings - Fork 2
SSH
Egbert edited this page Apr 11, 2022
·
4 revisions
An example of the CISecurity-like check against OpenSSH 9.0p1 using 490-net-ssh/499-net-ssh-config-check.sh script.
$ cd work
$ gh repo clone egberts/easy-admin
$ cd easy-admin/490-net-ssh
$ sudo ./499-net-ssh-config-check.sh -b /
[sudo] password for johndoe:
Checking security of OpenSSH configs
Checking against BUILDROOT=/ directory ...
WARNING: BUILDROOT is targeting current '/' root file system
SSHD (Server) Config File(s) Layout: split-file
Reading in //etc/ssh/sshd_config ...
Content of /etc/ssh/sshd_config Syntax OK.
SSH (Client) Config File(s) Layout: split-file
Reading in //etc/ssh/ssh_config ...
Content of /etc/ssh/ssh_config Syntax OK.
Version: OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k 25 Mar 2021
'sshd' $HOME: /run/sshd
Binary Path:
Server : /usr/sbin/sshd
Client : /usr/bin/ssh
Shell : /usr/sbin/nologin
nologin is BSD, but various Linux distros have broken nologin away
from the BSD shadow package.
There are five nologin variants out there... we probably need the ones
that properly logs to LOG_CONSOLE|LOG_AUTH|LOG_CRIT (which is BSD shadow)
to comply with basic auditing/CISecurity and record all SSH activities
It is tough to check the auditing aspect of an unknown nologin w/o source code
and the only other way is by actual demonstration and observation in audit logs.
Auth Methods : password,publickey password publickey
WARN: Authentication Method 'password,publickey' found weak
INFO: Switch the keyvalues around to 'publickey,password'
WARN: Authentication Method 'password' came before 'publickey'
INFO: Switch the keyvalues around to 'publickey password'
Group File Permissions Policy
SSHD daemon : sshd
Inbound SSH : ssh
Outbound SSH : ssh
WARN: No security granularity between inbound and outbound SSH connection.
Inbound Policy
Deny Users : root
Allow Users :
Deny Groups : root
Allow Groups : ssh
Server config files: //etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
Server hostkey files: /etc/ssh/ssh_host_ed25519_key
WARN: remove unused hostkey files
INFO: refer to HostKey in sshd_config, et. al.
INFO: Some files are: /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key
Client config files: //etc/ssh/ssh_config /etc/ssh/ssh_config.d/*.conf
SELinux sshd_var_run_t group:
PID file: /run/sshd/sshd.pid
Ubuntu 20+, CISecurity, or Maximum Security settings? (u/c/M): M
Maximum security settings...
755 root:root (EXPECTED_SSH_SHELL_FILESPEC) /usr/sbin/nologin: ok.
750 root:ssh (SSH_BIN_FILESPEC) /usr/bin/ssh: ok.
...skipping unused /usr/libexec/nm-ssh-service (NM_SSH_SERVICE).
755 root:root (SSHD_HOME_DIRSPEC) /run/sshd: ERROR
...Expecting '775' file permission
...Expecting 'sshd' group name
755 root:root (SSHD_BIN_FILESPEC) /usr/sbin/sshd: ERROR
...Expecting '750' file permission
...Expecting 'sshd' group name
640 root:sshd (this_config_file) //etc/ssh/sshd_config: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/100-daemon-logging.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/111-daemon-network.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/112-daemon-pidfile.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/113-daemon-maxstartups.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/114-daemon-ip-addr-families.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/115-daemon-tcpkeepalive.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/119-daemon-rdomain.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/201-daemon-login-grace.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/220-daemon-subversion.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/223-daemon-banner-debian.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/260-login-auth-keyagent.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/300-protocol-kex-algos.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/302-protocol-ciphers.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/304-protocol-macs.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/310-protocol-compression.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/324-protocol-rekey.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/336-protocol-hostkey.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/337-protocol-host-algos.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/338-protocol-host-certs.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/339-protocol-sec-key-provider.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/400-protocol-dns.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/410-protocol-auth-methods.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/412-protocol-auth-max-tries.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/422-protocol-password-empty-permit.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/424-protocol-auth-type-password.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/426-protocol-key-fingerprint.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/430-auth-pubkey.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/432-auth-pubkey-types.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/434-auth-pubkey-cas-algos.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/435-auth-pubkey-revoked.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/436-auth-pubkey-auth-file.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/438-auth-pubkey-ca-keys.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/440-auth-challenge.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/440-login-strict-modes.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/442-auth-hostbased.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/443-auth-hostbased-opts.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/450-auth-krb5-gss-api.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/500-session.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/501-session-client-alive.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/510-login-pam.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/512-permit-root-login.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/514-permit-user-environment.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/520-login-chroot-dir.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/530-login-users-deny.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/540-login-users-allow.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/550-login-groups-deny.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/570-login-groups-allow.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/580-login-auth-cmds-princ.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/590-login-auth-cmds-key.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/600-forwarding-disabled.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/700-tunnel-permit.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/750-allow-tcp-forwarding.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/811-pty-x11-support.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/853-pty-allowed.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/854-pty-lastlogin.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/855-pty-banner.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/855-pty-printmotd.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/856-pty-forced-command.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/857-pty-shell-env.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/858-pty-max-sessions.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/859-pty-ip-qos.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/900-pipe.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/902-expose-auth-info.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/910-ctrl-gateway-ports.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/912-stream-local-bind-unlink.conf: ok.
640 root:sshd (this_config_file) /etc/ssh/sshd_config.d/999-match-template.conf: ok.
640 root:ssh (this_config_file) //etc/ssh/ssh_config: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/010-conf-old-ignore.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/011-include.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/200-canonicalize-hostname.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/20-hostname.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/210-canonicalize-max-dots.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/220-canonical-domains.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/221-canonicalize-fallback-local.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/222-canonicalize-permitted-cnames.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/224-address-family.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/225-ip-port.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/230-proxy-command.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/232-clear-all-forwardings.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/250-control-persist.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/250-proxy.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/260-protocol-hostkeys-update.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/270-connection-attempts.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/280-logging.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/280-remote-command.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/300-user-identity-agent.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/310-path-control.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/320-connect-timeout.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/330-tcp-keepalive.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/340-bind-address.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/350-bind-interface.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/360-server-alive-interval.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/361-server-alive-count-max.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/370-pkcs11-provier.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/380-batch-mode.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/390-identity-files.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/400-identity-agent.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/410-stream-local-bind-mask.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/410-stream-local-bind-unlink.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/440-knownhosts-global-file.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/442-knownhosts-check-host-ip.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/443-knownhosts-hashed.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/450-knownhosts-user.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/500-kex-ciphers.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/510-kex-algorithms.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/530-compression.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/550-macs.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/560-hostkeys-algos.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/600-session-rekey-limit.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/650-knownhosts-hostkey-check-strict.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/660-knownhosts-hostkey-revoked.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/670-hostkey-verify-dns.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/680-hostkey-alias.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/690-auth-no-host-for-localhost.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/700-auth-preferred.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/710-auth-password.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/740-auth-interactive-kbd.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/741-auth-interactive-kbd-pam.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/750-certificate-file.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/760-auth-pubkey.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/761-auth-pubkey-key-types.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/762-auth-pubkey-add-to-agent.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/763-auth-pubkey-identities-only.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/770-auth-hostbased.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/771-auth-hostbased-key-type.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/772-auth-hostbased-keysign.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/773-auth-hostbased-ca-sig-algos.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/780-auth-challenge.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/790-auth-kerberos-krb5.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/791-auth-kerberos-delegate.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/801-session-tty-request.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/805-session-login-max.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/806-session-fingerprint-hash.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/807-session-hostkey-visual.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/810-session-control-master.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/812-session-tunnel-device.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/814-session-local-forward.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/820-forward-gateway-ports.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/821-forward-remote.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/822-forward-dynamic.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/823-forward-exit-on-failure.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/824-tunnel.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/840-session-local-cmd-permit.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/841-session-local-cmd.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/842-session-forward-agent.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/910-ipqos-delay-thrghpt.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/950-x11.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/980-escape-char.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/980-shell-env.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/991-match-host-onion.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/992-match-host-egbert.net.vps.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/993-match-host-local.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/994-match-host-github.com.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/995-match-host-sandbay.conf: ok.
640 root:ssh (this_config_file) /etc/ssh/ssh_config.d/996-match-host-arca.conf: ok.
755 root:root (VAR_RUN_SSHD_DIRSPEC) /run/sshd: ERROR
...Expecting 'sshd' group name
...skipping unused /run/sshd/sshd.pid (pidfile_filespec).
WARN: PID file not found; make sure it is in the correct 'sshd' subdir.
Permission errors: 5
Total files : 163
File missing : 2
Skipped files : 3