Description of problem: rkhunter complains about sshd setting after redhat update to sshd_config but does not consider sshd_config.d includes --------------------- Start Rootkit Hunter Update --------------------- [ Rootkit Hunter version 1.4.6 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] Checking file i18n/ja [ No update ] ---------------------- Start Rootkit Hunter Scan ---------------------- Warning: The SSH configuration option 'PermitRootLogin' has not been set. The default value may be 'yes', to allow root access. ----------------------- End Rootkit Hunter Scan ----------------------- Version-Release number of selected component (if applicable): 1.4.6 How reproducible: New error - will it go away or will I need a propupd!? Steps to Reproduce: 1. Run rkhunter after recent sshd update 2. 3. Actual results: Above error message. Expected results: No error because I put in my own include file with that PermitRootLogin option as "no" (which was previously in sshd_config) Additional info:
rkhunter currently has no knowledge of /etc/ssh/sshd_config.d/ and upstream isn't too active. Would you be willing to bring the matter up on the upstream list? rkhunter-users.net
*** Bug 1871812 has been marked as a duplicate of this bug. ***
I have submitted a "fix" to the above mailing list - there has been no response, is anyone maintaining this? ------------- looking at the code it seems that the following changes might alleviate the problem (they do for me) although could break following uses of grep -i ... ${SSH_CONFIG_FILE} ... Effectively it includes the /etc/ssh/sshd_config.d/* files in the grep. Without more detailed debugging, I don't claim to understand all the code (yet ;-), I can't be certain, perhaps a maintainer can comment? (This is a cut & paste - so tab's are probably lost or corrupted - beware) -------------------------------------------------------------------------------- $ diff rkhunter.johnd /usr/bin/rkhunter 17389,17395d17388 < # JohnD - include the /etc/ssh/sshd_config.d/* files. < if [ -d "${SSH_CONFIG_FILE}.d" ];then < SSH_CONFIG_FILE="${SSH_CONFIG_FILE} ${SSH_CONFIG_FILE}.d/*" < else < : < fi < 17413,17414c17406,17407 < # JohnD - add -h to grep opts! < RKHTMPVAR=`grep -ih '^[ ]*PermitRootLogin[ =]' ${SSH_CONFIG_FILE} 2>/dev/null | tail ${TAIL_OPT}1` --- RKHTMPVAR=`grep -i '^[ ]*PermitRootLogin[ =]' "${SSH_CONFIG_FILE}" 2>/dev/null | tail ${TAIL_OPT}1` -------------------------------------------------------------------------------- It probably should also check that the sshd_config file is doing the appropriate "Include" or be conditional on it might be better, depending on how sshd config's are evolving. In my case I have "PermitRootLogin no" in /etc/ssh/sshd_config.d/99-johnd- sshd.conf
Is there a way to find out if there is any progress on this?
Upstream is not all that active these days it seems. ;( If you have used/tested that patch, I can just look at carrying it in the fedora packages?
just tested in fc33 and still and issue rkhunter-1.4.6-9.fc33.noarch
It was suggested, (Daniel Demus <ddemus.net>) It would be preferable to use sshd -T to list the resolved configuration instead of trying to parse the config files. so use something like, sshd -T|grep -i PermitRootLogin I think that to be consistent that would need to be throughout rkhunter, hence a major rebuild. When it was said that upstream is very quiet, it was not a joke, could they be deceased or just uninterested? Maybe that's why.
FEDORA-2021-611f32a469 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-024739ab64 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-024739ab64
FEDORA-2021-9c40a9907e has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-9c40a9907e
FEDORA-2021-024739ab64 has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-024739ab64` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-024739ab64 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-9c40a9907e has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-9c40a9907e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-9c40a9907e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-9c40a9907e has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-024739ab64 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.