Bug 1851620
| Summary: | rkhunter complains about sshd setting after redhat update to sshd_config but does not consider sshd_config.d includes | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | John Dodson <jwadodson> |
| Component: | rkhunter | Assignee: | Kevin Fenzi <kevin> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 33 | CC: | kevin, manuel.wolfshant, mark, martin, nonamedotc |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | rkhunter-1.4.6-10.fc34 rkhunter-1.4.6-10.fc33 rkhunter-1.4.6-10.fc32 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-01-16 19:13:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
rkhunter currently has no knowledge of /etc/ssh/sshd_config.d/ and upstream isn't too active. Would you be willing to bring the matter up on the upstream list? rkhunter-users.net *** Bug 1871812 has been marked as a duplicate of this bug. *** I have submitted a "fix" to the above mailing list - there has been no response, is anyone maintaining this?
-------------
looking at the code it
seems that the following changes might alleviate the problem (they do for me)
although could break following uses of grep -i ... ${SSH_CONFIG_FILE} ...
Effectively it includes the /etc/ssh/sshd_config.d/* files in the grep.
Without more detailed debugging, I don't claim to understand all the code
(yet ;-), I can't be certain, perhaps a maintainer can comment?
(This is a cut & paste - so tab's are probably lost or corrupted - beware)
--------------------------------------------------------------------------------
$ diff rkhunter.johnd /usr/bin/rkhunter
17389,17395d17388
< # JohnD - include the /etc/ssh/sshd_config.d/* files.
< if [ -d "${SSH_CONFIG_FILE}.d" ];then
< SSH_CONFIG_FILE="${SSH_CONFIG_FILE}
${SSH_CONFIG_FILE}.d/*"
< else
< :
< fi
<
17413,17414c17406,17407
< # JohnD - add -h to grep opts!
< RKHTMPVAR=`grep -ih '^[ ]*PermitRootLogin[
=]' ${SSH_CONFIG_FILE} 2>/dev/null | tail ${TAIL_OPT}1`
---
RKHTMPVAR=`grep -i '^[ ]*PermitRootLogin[ =]'
"${SSH_CONFIG_FILE}" 2>/dev/null | tail ${TAIL_OPT}1`
--------------------------------------------------------------------------------
It probably should also check that the sshd_config file is doing the
appropriate "Include" or be conditional on it might be better, depending
on how sshd config's are evolving.
In my case I have "PermitRootLogin no" in /etc/ssh/sshd_config.d/99-johnd-
sshd.conf
Is there a way to find out if there is any progress on this? Upstream is not all that active these days it seems. ;( If you have used/tested that patch, I can just look at carrying it in the fedora packages? just tested in fc33 and still and issue rkhunter-1.4.6-9.fc33.noarch It was suggested, (Daniel Demus <ddemus.net>)
It would be preferable to use sshd -T to list the resolved configuration instead of trying to parse the config files.
so use something like,
sshd -T|grep -i PermitRootLogin
I think that to be consistent that would need to be throughout rkhunter, hence a major rebuild.
When it was said that upstream is very quiet, it was not a joke, could they be deceased or just uninterested?
Maybe that's why.
FEDORA-2021-611f32a469 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-024739ab64 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-024739ab64 FEDORA-2021-9c40a9907e has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-9c40a9907e FEDORA-2021-024739ab64 has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-024739ab64` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-024739ab64 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-9c40a9907e has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-9c40a9907e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-9c40a9907e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-9c40a9907e has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-024739ab64 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: rkhunter complains about sshd setting after redhat update to sshd_config but does not consider sshd_config.d includes --------------------- Start Rootkit Hunter Update --------------------- [ Rootkit Hunter version 1.4.6 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] Checking file i18n/ja [ No update ] ---------------------- Start Rootkit Hunter Scan ---------------------- Warning: The SSH configuration option 'PermitRootLogin' has not been set. The default value may be 'yes', to allow root access. ----------------------- End Rootkit Hunter Scan ----------------------- Version-Release number of selected component (if applicable): 1.4.6 How reproducible: New error - will it go away or will I need a propupd!? Steps to Reproduce: 1. Run rkhunter after recent sshd update 2. 3. Actual results: Above error message. Expected results: No error because I put in my own include file with that PermitRootLogin option as "no" (which was previously in sshd_config) Additional info: