ssh-baseline
ssh-baseline copied to clipboard
Privilege separation conditional check
Describe the bug The subject option has been deprecated since OpenSSH 7.5 (https://www.openssh.com/txt/release-7.5), hence the check shall be conditional.
Expected behavior No error
Actual behavior
× sshd-16: Server: Use privilege separation
× SSHD Configuration UsePrivilegeSeparation is expected to eq "sandbox"
expected: "sandbox"
got: nil
(compared using ==)
OS / Environment
$ lsb_release -d
Description: Ubuntu 20.04 LTS
$ ssh -V
OpenSSH_8.2p1 Ubuntu-4, OpenSSL 1.1.1f 31 Mar 2020
Inspec Version
$ inspec --version
4.18.114
Baseline Version
name: ssh-baseline
title: DevSec SSH Baseline
maintainer: DevSec Hardening Framework Team
copyright: DevSec Hardening Framework Team
copyright_email: [email protected]
license: Apache-2.0
summary: Test-suite for best-practice SSH hardening
version: 2.5.6
supports:
- os-family: unix
@sfuerte Thank you for the hint. I suggest we change the test to ensure that it is not set at all. This allows us to ensure the defaults are used. Any PR is welcome.
Agreed. Openssh 7.5 is 3 years old. If someone still uses a previous version of SSH, it is another level of problems than this profile can solve.
https://github.com/dev-sec/ssh-baseline/pull/171