Bug#824610: rkhunter: SSH PermitRootLogin is fragile and incomplete

Christoph Anton Mitterer calestyo at scientia.net
Wed May 18 01:01:16 UTC 2016 

Package: rkhunter
Version: 1.4.2-5
Severity: normal
Tags: security upstream


Hi.

AFAIU, rkhunter does roughly the following to check for the value of PermitRootLogin.
Goes through SSH_CONFIG_DIR or /etc /etc/ssh /usr/local/etc /usr/local/etc/ssh and
looking for sshd_config, taking the first found.
Case-insensitively greps for "PermitRootLogin", only looking at the first result,
doing some further regexp playing to get the value out of that line.

1) There's no guarantee the file is called sshd_config and that seems not to be configurable.
2) The fallback with going through that dirs and testing only the first found match is a bit
   fragile IMHO. The fil could exist in multiple locations, but the one actually used could
   be form a later dir, which rkhunter woulnt' check anymore.
3) The parsing is IMHO a bit fragile. Nothing prevent's upstream from changing the syntax and
   semantics, especially that the "first" assignment wins could be easily changed.
   Newer sshd versions have the -T option, which can be used to give a standardised output of
   the effective configuration. That should be used, I'd say. (However, see later)
4) sshd_config syntax allows values to be enclosed in double quotes - AFAIK the parser doesn't
   handle this

most important an security relevant is IMHO:

5) It's not Match block aware.
   The Match blocks lead to different effective values (at runtime) for PermitRootLogin,
   depending on the match criteria.
   An sshd_config like:
   PermitRootLogin no
   Match User *
      PermitRootLogin yes

   would already trick rkhunter into believing it's "no", which it effectively is "yes".

   Unfortunately here this is where the nice -T fails... :-( ... while there is -C to, it
   cannot be used to "select" a certain match block (which we could parse for), but only to
   give the criteria (and it's difficult to set them up so that all Match blocks would get
   matched once).

   So in the end I'd say we should grep for something like:
   1) grep -i '^[[:space:]]*PermitRootLogin[[:space:]][[:space:]]*' "$SSHD_CONFIG"
      (not dropping any lines)
   2) remove the directive:
       sed 's/^[[:space:]]*PermitRootLogin[[:space:]][[:space:]]*//'
   3) remove double quotes must be done in an extra step, as we MUST only remove " if theres
      one at the beginning AND the end:
      sed 's/"\(.*\)"/\1/'
   4) sort -u the output

   If now multiple lines are left, it means we have different values either in Matchblocks
   or outside of match blocks.
   For both cases I'd say the rkhunter test should give a warning.
   If only one line is left, I'd continue to compare it to the expected value set in
   rkhunter.conf.


6) Oh and it seems current regexps assume one could write directive=value, but I don't think
   this is possible in the config syntax, or is it?


Cheers,
Chris

More information about the forensics-devel mailing list