#169 Changes to sshd config files. Creates bug.

[John Dodson]

I've only now realised I should have posted this here as it seems not many people read the list I posted it to...

• should the priority be higher?

I noted a while ago that rkhunter was giving a warning about,

    Warning: The SSH configuration option 'PermitRootLogin' has not been
                                                                    set.
    The default value may be 'yes', to allow root access.

It followed changes to the sshd_config file & creation of the sshd_config.d
directory for local config changes.

I submitted this to the fedora bugzilla for rkhunter, & Kevin Fenzi
kevin@scrye.com (Thanks Kevin, you were right to suggest that) responded that
I should bring the matter up on the upstream list, which I sadly did not have
time for.

At the time (28 June 2020) I did post to the list & got a rejection with a
suggestion that I first read,

http://sourceforge.net/mailarchive/forum.php?forum=rkhunter-users

and
http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034

before posting a question. (also the email contained the cryptic "L.S." at
the top???)
Both URLs give the message:

    Whoops, we can't find that page.

The above pages still give the same message, so unless the list email that
I got that contains them has been updated, they are still problematic.

Today I joined the mailing list rkhunterusers@lists.sourceforge.net & perused
the recent activity. I use firefox & it seemed that long lines in the,
https://sourceforge.net/p/rkhunter/mailman/rkhunter-users/?viewmonth=202004
page were not rendered well with the borders cutting the lines off (maybe that's
just firefox) otherwise, yet another problem to fix ;-)

Also, it seems that the last rkhunter release was 2018-02-20 - can anyone
confirm that is the case? I know it's hard to maintain software - especially
open source - so this is not a complaint! Obviously it's lasted well for some
time, AND it might only be "redhat/fedora" that is now problematic.

Now to my original problem, I submitted,

    https://bugzilla.redhat.com/show_bug.cgi?id=1851620

---

John Dodson 2020-06-27 15:07:45 UTC

Description of problem:
rkhunter complains about sshd setting after redhat update to sshd_config but
does not consider sshd_config.d includes

--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Checking file i18n/ja [ No update ]

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.

----------------------- End Rootkit Hunter Scan -----------------------

Version-Release number of selected component (if applicable):
1.4.6

How reproducible:
New error - will it go away or will I need a propupd!?

Steps to Reproduce:

1. Run rkhunter after recent sshd update
   2.
   3.

Actual results:
Above error message.

Expected results:
No error because I put in my own include file with that PermitRootLogin option
as "no" (which was previously in sshd_config)

---

Obviously a --propupd did not resolve the problem, so looking at the code it
seems that the following changes might alleviate the problem (they do for me)
although could break following uses of grep -i ... ${SSH_CONFIG_FILE} ...

Effectively it includes the /etc/ssh/sshd_config.d/* files in the grep.

Without more detailed debugging, I don't claim to understand all the code
(yet ;-), I can't be certain, perhaps a maintainer can comment?

(This is a cut & paste - so tab's are probably lost or corrupted - beware)

$ diff rkhunter.johnd /usr/bin/rkhunter
17389,17395d17388
< # JohnD - include the /etc/ssh/sshd_config.d/ files.
< if [ -d "${SSH_CONFIG_FILE}.d" ];then
< SSH_CONFIG_FILE="${SSH_CONFIG_FILE}
${SSH_CONFIG_FILE}.d/"
< else
< :
< fi
<
17413,17414c17406,17407
< # JohnD - add -h to grep opts!
< RKHTMPVAR=grep -ih '^[ ]*PermitRootLogin[ =]' ${SSH_CONFIG_FILE} 2>/dev/null | tail ${TAIL_OPT}1

---

                  RKHTMPVAR=`grep -i '^[  ]*PermitRootLogin[      =]'

"${SSH_CONFIG_FILE}" 2>/dev/null | tail ${TAIL_OPT}1`

---

It probably should also check that the sshd_config file is doing the
appropriate "Include" or be conditional on it might be better, depending
on how sshd config's are evolving.
In my case I have "PermitRootLogin no" in /etc/ssh/sshd_config.d/99-johnd-
sshd.conf

Cheers

John (Retired with too many grandchildren that know more about computers than
I do! ;-)

[Daniel Demus]

It would be preferable to use sshd -T to list the resolved configuration instead of trying to parse the config files.

[John Horne]

I'll look into this soon.

Yes 2018 was the last release.

No idea what the 'L.S.' is that you mention.

The rkhunter web page had some invalid links on it; those have now been corrected.

[John Dodson]

Thanks John. Sorry for my delay in response I've been away (A reasonable excuse
in Australia with little to no Covid :-)

The L.S. was at the top of the email returned to me telling me that my post had
been rejected.

I assumed it was something somehow included in "error" emails by default but
probably a typo. Otherwise like you I also have no idea...

Which prompts a joke...

What do you call a blind Deer?

    No Idea (No Eyed deer)

What do you call a blind Deer with no legs?

    Still no eyed Deer.

What do you call a blind Deer with no legs & no genitals?

    Still no F'ing eyed Deer.

What do you call the Island all those blind Deer with no legs & no
                    genitals live on?

    Still no F'ing eyed Deer Atoll.

That last part was coined by one of my colleagues who was an ex-marine biologist

• many people don't get the significance when I tell the joke.

  What do you call a group of blind Deer with no legs & no genitals
          sitting around drinking vodka?
  
          Still Absolutely no F'ing eyed Deer.
  

Cheers

John

On Sun, 2021-02-07 at 02:28 +0000, John Horne wrote:

I'll look into this soon.
Yes 2018 was the last release.
No idea what the 'L.S.' is that you mention.
The rkhunter web page had some invalid links on it; those have now been
corrected.
[bugs:#169] Changes to sshd config files. Creates bug.
Status: open
Group: main
Created: Sat Oct 03, 2020 01:39 PM UTC by John Dodson
Last Updated: Mon Oct 26, 2020 06:54 AM UTC
Owner: nobody
I've only now realised I should have posted this here as it seems not many
people read the list I posted it to...
 * should the priority be higher?
I noted a while ago that rkhunter was giving a warning about,
 Warning: The SSH configuration option 'PermitRootLogin' has not been set. The
default value may be 'yes', to allow root access.
It followed changes to the sshd_config file & creation of the sshd_config.d
directory for local config changes.
I submitted this to the fedora bugzilla for rkhunter, & Kevin Fenzi
kevin@scrye.com (Thanks Kevin, you were right to suggest that) responded that
I should bring the matter up on the upstream list, which I sadly did not have
time for.
At the time (28 June 2020) I did post to the list & got a rejection with a
suggestion that I first read,
http://sourceforge.net/mailarchive/forum.php?forum=rkhunter-users
and
http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034
before posting a question. (also the email contained the cryptic "L.S." at
the top???)
Both URLs give the message:
 Whoops, we can't find that page.
The above pages still give the same message, so unless the list email that
I got that contains them has been updated, they are still problematic.
Today I joined the mailing list rkhunterusers@lists.sourceforge.net & perused
the recent activity. I use firefox & it seemed that long lines in the,
https://sourceforge.net/p/rkhunter/mailman/rkhunter-users/?viewmonth=202004
page were not rendered well with the borders cutting the lines off (maybe that's
just firefox) otherwise, yet another problem to fix ;-)
Also, it seems that the last rkhunter release was 2018-02-20 - can anyone
confirm that is the case? I know it's hard to maintain software - especially
open source - so this is not a complaint! Obviously it's lasted well for some
time, AND it might only be "redhat/fedora" that is now problematic.
Now to my original problem, I submitted,
https://bugzilla.redhat.com/show_bug.cgi?id=1851620
John Dodson 2020-06-27 15:07:45 UTC
Description of problem:
rkhunter complains about sshd setting after redhat update to sshd_config but
does not consider sshd_config.d includes
--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.4.6 ]
Checking rkhunter data files...
 Checking file mirrors.dat [ No update ]
 Checking file programs_bad.dat [ No update ]
 Checking file backdoorports.dat [ No update ]
 Checking file suspscan.dat [ No update ]
 Checking file i18n/cn [ No update ]
 Checking file i18n/de [ No update ]
 Checking file i18n/en [ No update ]
 Checking file i18n/tr [ No update ]
 Checking file i18n/tr.utf8 [ No update ]
 Checking file i18n/zh [ No update ]
 Checking file i18n/zh.utf8 [ No update ]
 Checking file i18n/ja [ No update ]
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
 The default value may be 'yes', to allow root access.
----------------------- End Rootkit Hunter Scan -----------------------
Version-Release number of selected component (if applicable):
1.4.6
How reproducible:
New error - will it go away or will I need a propupd!?
Steps to Reproduce:
1. Run rkhunter after recent sshd update
2.
3.
Actual results:
Above error message.
Expected results:
No error because I put in my own include file with that PermitRootLogin option
as "no" (which was previously in sshd_config)
Obviously a --propupd did not resolve the problem, so looking at the code it
seems that the following changes might alleviate the problem (they do for me)
although could break following uses of grep -i ... ${SSH_CONFIG_FILE} ...
Effectively it includes the /etc/ssh/sshd_config.d/ files in the grep.
Without more detailed debugging, I don't claim to understand all the code
(yet ;-), I can't be certain, perhaps a maintainer can comment?
(This is a cut & paste - so tab's are probably lost or corrupted - beware)$ diff
rkhunter.johnd /usr/bin/rkhunter
17389,17395d17388
< # JohnD - include the /etc/ssh/sshd_config.d/ files.
< if [ -d "${SSH_CONFIG_FILE}.d" ];then
< SSH_CONFIG_FILE="${SSH_CONFIG_FILE}
${SSH_CONFIG_FILE}.d/"
< else
< :
< fi
<
17413,17414c17406,17407
< # JohnD - add -h to grep opts!
< RKHTMPVAR=grep -ih '^[ ]PermitRootLogin[ =]' ${SSH_CONFIG_FILE} 2>/dev/null |
tail ${TAIL_OPT}1

RKHTMPVAR=grep -i '^[ ]*PermitRootLogin[ =]' "${SSH_CONFIG_FILE}" 2>/dev/null | tail ${TAIL_OPT}1
It probably should also check that the sshd_config file is doing the
appropriate "Include" or be conditional on it might be better, depending
on how sshd config's are evolving.
In my case I have "PermitRootLogin no" in /etc/ssh/sshd_config.d/99-johnd-
sshd.conf
Cheers
John (Retired with too many grandchildren that know more about computers than
I do! ;-)
Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/rkhunter/bugs/169/
To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

[John Horne]

Fixed in the development version.

[Christophe PEREZ]

Where is that development version please ?

[sai-mike]

Go to the Code tab.
Make sure you are in the develop branch. In the banner at the top it will say:
Tree [866f69] develop /
next to that will be a link to 'Download Snapshot'. Click that.
This will give you a .zip file to download. Download it to a directory and unzip.
Change to the directory and run ./installer.sh

Follow the rest of the installation instructions in the README file.

[Christophe PEREZ]

Thanks !

[sbourdette]

Do you know when it would be available in distribution repository like ubuntu ?