Description of problem: under RHEL7/CentOS 7, the rkhunter.conf key ALLOW_SSH_PROT_V1 is being set to "2" instead of "0". This is causing the warning: Warning: The SSH and rkhunter configuration options should be the same: SSH configuration option 'Protocol': 2 Rkhunter configuration option 'ALLOW_SSH_PROT_V1': 2 According to the rkhunter.conf file documentation, the only valid values for ALLOW_SSH_PROT_V1 are 0 or 1. Changing that setting to 0 eliminates the warning. Upstream default is 0, it is being changed in rkhunter-1.4.2-fedoraconfig.patch during build. Version-Release number of selected component (if applicable): rkhunter-1.4.2-5.el7 How reproducible: always Steps to Reproduce: 1. install rkhunter from EPEL 2. run scan from /etc/cron.daily/rkhunter 3. Warning message is in emailed results. Actual results: Warning: The SSH and rkhunter configuration options should be the same: SSH configuration option 'Protocol': 2 Rkhunter configuration option 'ALLOW_SSH_PROT_V1': 2 Expected results: no warning Additional info:
Confirmed that this was introduced in 1.4.2-5, the ALLOW_SSH_PROT_V1 directive is not in the patch for 1.4.2-4 sources. This was not noted in changelogs on koji.
What docs are you reading? A value of 2 is allowed here: "# # Set this option to '1' to allow the use of the SSH-1 protocol, but note # that theoretically it is weaker, and therefore less secure, than the # SSH-2 protocol. Do not modify this option unless you have good reasons # to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 # authentication). If the 'Protocol' option has not been set in the SSH # configuration file, then a value of '2' may be set here in order to # suppress a warning message. A value of '0' indicates that the use of # SSH-1 is not allowed. # # The default value is '0'." So, 2 should be fine, additionally here at least on a fresh rhel7/centos7 install, the /etc/ssh/sshd_config has: # The default requires explicit activation of protocol 1 #Protocol 2 So, it's not set, so '2' should be the right setting. Did you change your local sshd_config?
sshd_config has not been changed, it is set Protocol 2. If I'm reading that correctly, value '2' can be set IF the Protocol option in sshd_config is NOT set, so if Protocol is set then 2 is not a valid value. I actually submitted this as a bug to rkhunter first, and was informed that it's working as intended. As I now understand, setting ALLOW_SSH_PROT_V1=2 is the same as ALLOW_SSH_PROT_V1=1, both of which allow the protocol but the second suppresses the warning message if Protocol is left empty in sshd_config. https://sourceforge.net/p/rkhunter/bugs/131/ : "Okay, having looked at the option and the code, this is not a bug. The use of ALLOW_SSH_PROT_V1=2 is the same as setting it to '1' except that no warning is produced if the SSH 'protocol' option is not set. This is explained in the comments in the config file. So in your case you, in effect, have one setting allowing use of protocol version 2 (protocol=2), and another saying to use protocol version 1 (ALLOW_SSH_PROT_V1=2). Rkhunter is then correct in giving a warning because they are different." I don't understand why this was changed between 1.4.2-4 and 1.4.2-5, since it's correct in the older revision and there's no documentation of the change being made that I can find for the EPEL packages.
(In reply to Robert Cooper from comment #3) > sshd_config has not been changed, it is set Protocol 2. Then it HAS been changed. The default config in the openssh-server package has this commented out. It's not active. No Protocol line is uncommented. > If I'm reading that correctly, value '2' can be set IF the Protocol option > in sshd_config is NOT set, so if Protocol is set then 2 is not a valid value. Which is the case by default. By default the sshd_config has NO Protocol option set. > I actually submitted this as a bug to rkhunter first, and was informed that > it's working as intended. As I now understand, setting ALLOW_SSH_PROT_V1=2 > is the same as ALLOW_SSH_PROT_V1=1, both of which allow the protocol but the > second suppresses the warning message if Protocol is left empty in > sshd_config. > > https://sourceforge.net/p/rkhunter/bugs/131/ : > > "Okay, having looked at the option and the code, this is not a bug. > The use of ALLOW_SSH_PROT_V1=2 is the same as setting it to '1' except that > no warning is produced if the SSH 'protocol' option is not set. This is > explained in the comments in the config file. So in your case you, in > effect, have one setting allowing use of protocol version 2 (protocol=2), > and another saying to use protocol version 1 (ALLOW_SSH_PROT_V1=2). Rkhunter > is then correct in giving a warning because they are different." > > I don't understand why this was changed between 1.4.2-4 and 1.4.2-5, since > it's correct in the older revision and there's no documentation of the > change being made that I can find for the EPEL packages. It is set based on what the default is in rhel7/epel7. If you changed the default you need to change your local config. ;)
Ok. it looks like a change was made to openssh-server between RHEL6 and RHEL7. in RHEL6, openssh-server-5.3p1-104.el6 sets "Protocol 2" in sshd_config. Protocol 1 is apparently the default otherwise. RHEL7, openssh-server-6.4p1-8.el7 comments out the #Protocol 2 directive, as Protocol 2 has apparently been made the default and Protocol 1 must be explicitly enabled. When I configured the CentOS 7 box, I used the same settings I did for CentOS 6, which included enabling the Protocol directive. It looks like the change in OpenSSH was made upstream in v 5.4, so one minor version later than that included in RHEL6. I guess this is "working as expected" then. Would have been nice to see a changelog indicating the directive change in rkhunter.conf though.
Yeah, sorry about the changelog... thats partly an artifact of how we do things, this was actually the first version for epel7, but it was merged from the master (rawhide) branch, so it had all it's history, which was kinda confusing. :( Sorry about that...