ssh-baseline
ssh-baseline copied to clipboard
Published
20 hours ago •
dev-sec
dev-sec
Can't start sshd baseline config at ssh server
trafficstars
Describe the bug Can't start sshd baseline config at ssh server
Expected behavior expected that sshd config start without errors
Actual behavior in attached screen
Example code in attached screen
**OS / Environment**
<!--- Provide all relevant information below, e.g. target OS versions, network device firmware, etc. -->
**Inspec Version**
4.37.17
Baseline Version https://github.com/dev-sec/ssh-baseline/blob/master/controls/sshd_spec.rb
**Additional context**
Add any other context about the problem here.
Can you try running the command like this?
sudo inspec exec /opt/inspec/test/ssh-baseline/ -t ssh://...
yes, please see output
Version: 2.6.4
Target: ssh://root@xxxx
× ssh-01: client: Check ssh_config owner, group and permissions. (6 failed)
✔ File /etc/ssh/ssh_config is expected to exist
× File /etc/ssh/ssh_config is expected to be file
expected `File /etc/ssh/ssh_config.file?` to be truthy, got false
× File /etc/ssh/ssh_config is expected to be owned by "root"
expected `File /etc/ssh/ssh_config.owned_by?("root")` to be truthy, got false
× File /etc/ssh/ssh_config is expected to be grouped into "root"
expected `File /etc/ssh/ssh_config.grouped_into?("root")` to be truthy, got false
× File /etc/ssh/ssh_config is expected not to be executable
expected File /etc/ssh/ssh_config not to be executable
✔ File /etc/ssh/ssh_config is expected to be readable by owner
✔ File /etc/ssh/ssh_config is expected to be readable by group
✔ File /etc/ssh/ssh_config is expected to be readable by other
✔ File /etc/ssh/ssh_config is expected to be writable by owner
× File /etc/ssh/ssh_config is expected not to be writable by group
expected File /etc/ssh/ssh_config not to be writable by group
× File /etc/ssh/ssh_config is expected not to be writable by other
expected File /etc/ssh/ssh_config not to be writable by other
↺ ssh-02: Client: Specify the AddressFamily to your need
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-03: Client: Specify expected ssh port
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-04: Client: Specify protocol version 2
↺ Skipped control due to only_if condition.
↺ ssh-05: Client: Disable batch mode
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-06: Client: Check Host IPs
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-07: Client: Ask when checking host keys
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-08: Client: Check for secure ssh ciphers
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-09: Client: Check for secure ssh Key-Exchange Algorithm
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-10: Client: Check for secure ssh Message Authentication Codes
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-11: Client: Disable agent forwarding
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-12: Client: Disable X11Forwarding
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-13: Client: Disable HostbasedAuthentication
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-14: Client: Disable rhosts-based authentication
↺ Skipped control due to only_if condition.
↺ ssh-15: Client: Enable RSA authentication
↺ Skipped control due to only_if condition.
↺ ssh-16: Client: Disable password-based authentication
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-17: Client: Disable GSSAPIAuthentication
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-18: Client: Disable GSSAPIDelegateCredentials
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-19: Client: Disable tunnels
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-20: Client: Do not permit local commands
↺ Can't find file: /etc/ssh/ssh_config
↺ ssh-21: Client: Do not allow Roaming
↺ Skipped control due to only_if condition.
× ssh-22: Client: CRYPTO_POLICY (3 failed)
× Bash command ssh -G localhost stdout is expected to match "ciphers aes256-ctr,aes192-ctr,aes128-ctr"
expected "user root\nhostname localhost\nport 22\naddkeystoagent false\naddressfamily any\nbatchmode no\ncanon...t no\nescapechar ~\nipqos af21 cs1\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER\n" to match "ciphers aes256-ctr,aes192-ctr,aes128-ctr"
Diff:
@@ -1,68 +1,135 @@
-ciphers aes256-ctr,aes192-ctr,aes128-ctr
+user root
+hostname localhost
+port 22
+addkeystoagent false
+addressfamily any
+batchmode no
+canonicalizefallbacklocal yes
+canonicalizehostname false
+challengeresponseauthentication yes
+checkhostip yes
+compression no
+controlmaster false
+enablesshkeysign no
+clearallforwardings no
+exitonforwardfailure yes
+fingerprinthash SHA256
+forwardagent yes
+forwardx11 yes
+forwardx11trusted no
+gatewayports no
+hashknownhosts no
+hostbasedauthentication no
+identitiesonly no
+kbdinteractiveauthentication yes
+nohostauthenticationforlocalhost no
+passwordauthentication yes
+permitlocalcommand no
+proxyusefdpass no
+pubkeyauthentication yes
+requesttty auto
+streamlocalbindunlink no
+stricthostkeychecking ask
+tcpkeepalive yes
+tunnel false
+verifyhostkeydns false
+visualhostkey no
+updatehostkeys false
+canonicalizemaxdots 1
+connectionattempts 1
+forwardx11timeout 1200
+numberofpasswordprompts 3
+serveralivecountmax 5
+serveraliveinterval 30
+ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
+hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
+casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+loglevel INFO
+macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
+pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+xauthlocation /usr/bin/xauth
+identityfile ~/.ssh/id_rsa
+identityfile ~/.ssh/id_dsa
+identityfile ~/.ssh/id_ecdsa
+identityfile ~/.ssh/id_ed25519
+identityfile ~/.ssh/id_xmss
+canonicaldomains
+globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
+userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2
+connecttimeout none
+tunneldevice any:any
+controlpersist no
+escapechar ~
+ipqos af21 cs1
+rekeylimit 0 0
+streamlocalbindmask 0177
+syslogfacility USER
× Bash command ssh -G localhost stdout is expected to match "kexalgorithms diffie-hellman-group-exchange-sha256"
expected "user root\nhostname localhost\nport 22\naddkeystoagent false\naddressfamily any\nbatchmode no\ncanon...t no\nescapechar ~\nipqos af21 cs1\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER\n" to match "kexalgorithms diffie-hellman-group-exchange-sha256"
Diff:
@@ -1,68 +1,135 @@
-kexalgorithms diffie-hellman-group-exchange-sha256
+user root
+hostname localhost
+port 22
+addkeystoagent false
+addressfamily any
+batchmode no
+canonicalizefallbacklocal yes
+canonicalizehostname false
+challengeresponseauthentication yes
+checkhostip yes
+compression no
+controlmaster false
+enablesshkeysign no
+clearallforwardings no
+exitonforwardfailure yes
+fingerprinthash SHA256
+forwardagent yes
+forwardx11 yes
+forwardx11trusted no
+gatewayports no
+hashknownhosts no
+hostbasedauthentication no
+identitiesonly no
+kbdinteractiveauthentication yes
+nohostauthenticationforlocalhost no
+passwordauthentication yes
+permitlocalcommand no
+proxyusefdpass no
+pubkeyauthentication yes
+requesttty auto
+streamlocalbindunlink no
+stricthostkeychecking ask
+tcpkeepalive yes
+tunnel false
+verifyhostkeydns false
+visualhostkey no
+updatehostkeys false
+canonicalizemaxdots 1
+connectionattempts 1
+forwardx11timeout 1200
+numberofpasswordprompts 3
+serveralivecountmax 5
+serveraliveinterval 30
+ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
+hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
+casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+loglevel INFO
+macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
+pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+xauthlocation /usr/bin/xauth
+identityfile ~/.ssh/id_rsa
+identityfile ~/.ssh/id_dsa
+identityfile ~/.ssh/id_ecdsa
+identityfile ~/.ssh/id_ed25519
+identityfile ~/.ssh/id_xmss
+canonicaldomains
+globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
+userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2
+connecttimeout none
+tunneldevice any:any
+controlpersist no
+escapechar ~
+ipqos af21 cs1
+rekeylimit 0 0
+streamlocalbindmask 0177
+syslogfacility USER
× Bash command ssh -G localhost stdout is expected to match "macs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
expected "user root\nhostname localhost\nport 22\naddkeystoagent false\naddressfamily any\nbatchmode no\ncanon...t no\nescapechar ~\nipqos af21 cs1\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER\n" to match "macs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
Diff:
@@ -1,68 +1,135 @@
-macs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+user root
+hostname localhost
+port 22
+addkeystoagent false
+addressfamily any
+batchmode no
+canonicalizefallbacklocal yes
+canonicalizehostname false
+challengeresponseauthentication yes
+checkhostip yes
+compression no
+controlmaster false
+enablesshkeysign no
+clearallforwardings no
+exitonforwardfailure yes
+fingerprinthash SHA256
+forwardagent yes
+forwardx11 yes
+forwardx11trusted no
+gatewayports no
+hashknownhosts no
+hostbasedauthentication no
+identitiesonly no
+kbdinteractiveauthentication yes
+nohostauthenticationforlocalhost no
+passwordauthentication yes
+permitlocalcommand no
+proxyusefdpass no
+pubkeyauthentication yes
+requesttty auto
+streamlocalbindunlink no
+stricthostkeychecking ask
+tcpkeepalive yes
+tunnel false
+verifyhostkeydns false
+visualhostkey no
+updatehostkeys false
+canonicalizemaxdots 1
+connectionattempts 1
+forwardx11timeout 1200
+numberofpasswordprompts 3
+serveralivecountmax 5
+serveraliveinterval 30
+ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
+hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
+casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+loglevel INFO
+macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
+pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+xauthlocation /usr/bin/xauth
+identityfile ~/.ssh/id_rsa
+identityfile ~/.ssh/id_dsa
+identityfile ~/.ssh/id_ecdsa
+identityfile ~/.ssh/id_ed25519
+identityfile ~/.ssh/id_xmss
+canonicaldomains
+globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
+userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2
+connecttimeout none
+tunneldevice any:any
+controlpersist no
+escapechar ~
+ipqos af21 cs1
+rekeylimit 0 0
+streamlocalbindmask 0177
+syslogfacility USER
↺ sshd-01: Server: Check for secure ssh ciphers
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-02: Server: Check for secure ssh Key-Exchange Algorithm
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-03: Server: Check for secure ssh Message Authentication Codes
↺ Can't find file: /etc/ssh/sshd_config
× sshd-04: Server: Check SSH folder owner, group and permissions. (5 failed)
✔ File /etc/ssh is expected to exist
× File /etc/ssh is expected to be directory
expected `File /etc/ssh.directory?` to be truthy, got false
× File /etc/ssh is expected to be owned by "root"
expected `File /etc/ssh.owned_by?("root")` to be truthy, got false
× File /etc/ssh is expected to be grouped into "root"
expected `File /etc/ssh.grouped_into?("root")` to be truthy, got false
✔ File /etc/ssh is expected to be executable
✔ File /etc/ssh is expected to be readable by owner
✔ File /etc/ssh is expected to be readable by group
✔ File /etc/ssh is expected to be readable by other
✔ File /etc/ssh is expected to be writable by owner
× File /etc/ssh is expected not to be writable by group
expected File /etc/ssh not to be writable by group
× File /etc/ssh is expected not to be writable by other
expected File /etc/ssh not to be writable by other
× sshd-05: Server: Check sshd_config owner, group and permissions. (8 failed)
✔ File /etc/ssh/sshd_config is expected to exist
× File /etc/ssh/sshd_config is expected to be file
expected `File /etc/ssh/sshd_config.file?` to be truthy, got false
× File /etc/ssh/sshd_config is expected to be owned by "root"
expected `File /etc/ssh/sshd_config.owned_by?("root")` to be truthy, got false
× File /etc/ssh/sshd_config is expected to be grouped into "root"
expected `File /etc/ssh/sshd_config.grouped_into?("root")` to be truthy, got false
× File /etc/ssh/sshd_config is expected not to be executable
expected File /etc/ssh/sshd_config not to be executable
✔ File /etc/ssh/sshd_config is expected to be readable by owner
× File /etc/ssh/sshd_config is expected not to be readable by group
expected File /etc/ssh/sshd_config not to be readable by group
× File /etc/ssh/sshd_config is expected not to be readable by other
expected File /etc/ssh/sshd_config not to be readable by other
✔ File /etc/ssh/sshd_config is expected to be writable by owner
× File /etc/ssh/sshd_config is expected not to be writable by group
expected File /etc/ssh/sshd_config not to be writable by group
× File /etc/ssh/sshd_config is expected not to be writable by other
expected File /etc/ssh/sshd_config not to be writable by other
↺ sshd-06: Server: Do not permit root-based login or do not allow password and keyboard-interactive authentication
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-07: Server: Specify the listen ssh Port
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-08: Server: Specify the AddressFamily to your need
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-09: Server: Specify ListenAddress
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-11: Server: Enable StrictModes
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-12: Server: Specify SyslogFacility to AUTH
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-13: Server: Specify LogLevel to VERBOSE
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-14: Server: Specify SSH HostKeys
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-15: Server: Specify UseLogin to NO
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-16: Server: Use privilege separation
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-17: Server: Disable PermitUserEnvironment
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-18: Server: Specify LoginGraceTime
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-19: Server: Specify Limit for maximum authentication retries
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-20: Server: Specify maximum sessions
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-21: Server: Specify maximum startups
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-22: Server: Enable PubkeyAuthentication
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-23: Server: Enable IgnoreRhosts
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-24: Server: Enable IgnoreUserKnownHosts
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-25: Server: Disable HostbasedAuthentication
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-27: Server: Disable password-based authentication
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-28: Server: Disable PermitEmptyPasswords
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-29: Server: Disable ChallengeResponseAuthentication
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-30: Server: Disable Kerberos
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-31: Server: Disable Kerberos or Local Password
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-32: Server: Enable KerberosTicketCleanup
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-33: Server: Disable GSSAPIAuthentication
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-34: Server: Enable GSSAPICleanupCredentials
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-35: Server: Disable TCPKeepAlive
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-36: Server: Set a client alive interval
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-37: Server: Configure a few client alive counters
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-38: Server: Disable tunnels
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-39: Server: Disable TCP forwarding
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-40: Server: Disable Agent forwarding
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-41: Server: Disable gateway ports
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-42: Server: Disable X11Forwarding
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-43: Server: Enable X11UseLocalhost
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-44: Server: Disable PrintMotd
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-45: Server: PrintLastLog
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-46: Server: Banner
↺ Can't find file: /etc/ssh/sshd_config
↺ sshd-47: Server: DebianBanner
↺ Can't find file: /etc/ssh/sshd_config
✔ sshd-48: Server: DH primes
✔ Bash command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 exit_status is expected to eq 0
✔ Bash command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stdout is expected to eq ""
✔ Bash command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stderr is expected to eq ""
✔ sshd-49: Server: CRYPTO_POLICY
✔ Processes sshd -D entries.length is expected to eq 1
✔ Processes sshd -D commands.first is expected not to match /-oCiphers/
✔ Processes sshd -D commands.first is expected not to match /-oKexAlgorithms/
✔ Processes sshd -D commands.first is expected not to match /-oHostKeyAlgorithms/
× sshd-50: Server: RSA HostKey size (1 failed)
✔ Bash command test $(ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | awk '$1 < 4096 { print $1 }' | wc -l) -eq 0 exit_status is expected to eq 0
✔ Bash command test $(ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | awk '$1 < 4096 { print $1 }' | wc -l) -eq 0 stdout is expected to eq ""
× Bash command test $(ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | awk '$1 < 4096 { print $1 }' | wc -l) -eq 0 stderr is expected to eq ""
expected: ""
got: "ssh-keygen: /etc/ssh/ssh_host_rsa_key: No such file or directory\r\n"
(compared using ==)
Diff:
@@ -1 +1,2 @@
+ssh-keygen: /etc/ssh/ssh_host_rsa_key: No such file or directory
i know my server is configured for password access and want sshd check 022 to say you don't have keys used
But this check is simply skipped like many others
hmm, what do you think, can it be cause of problem? that at ssh server many line in sshd_config are commented?
There seems to be a problem with accessing the files.. Can you run the following command on the target server and paste the output?
ls -lsah /etc/ssh/
Yes. please
it's read-only file system by default. But i think inspec just need read files
uname -a (ssh server) Linux xxx-dev 4.14.98 #1 SMP PREEMPT Wed Mar 17 21:18:09 MSK 2021 armv7l GNU/Linux
For experiment i try comment
and got this results sudo inspec exec /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb -t ssh://root@xxxx --password=
Version: (not specified)
Target: ssh://root@xxxx:22
× sshd-01: Server: Check for secure ssh ciphers
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:48
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69b9f55f0>
× sshd-02: Server: Check for secure ssh Key-Exchange Algorithm
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:57
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69ba35ab0>
× sshd-03: Server: Check for secure ssh Message Authentication Codes
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:66
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a38fb58>
× sshd-04: Server: Check SSH folder owner, group and permissions.
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:75
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69ba42990>
× sshd-05: Server: Check sshd_config owner, group and permissions.
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:94
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69ba40e38>
× sshd-06: Server: Do not permit root-based login or do not allow password and keyboard-interactive authentication
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:114
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69ba4f618>
× sshd-07: Server: Specify the listen ssh Port
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:123
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69ba4dac0>
× sshd-08: Server: Specify the AddressFamily to your need
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:132
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a387660>
× sshd-09: Server: Specify ListenAddress
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:141
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69ba5ac70>
× sshd-10: Server: Specify protocol version 2
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:152
undefined local variable or method `ssh_crypto' for #<Inspec::Rule:0x000055a69ba59118>
× sshd-11: Server: Enable StrictModes
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:162
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a7819f0>
× sshd-12: Server: Specify SyslogFacility to AUTH
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:171
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69babafd0>
× sshd-13: Server: Specify LogLevel to VERBOSE
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:180
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bab9478>
× sshd-14: Server: Specify SSH HostKeys
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:189
undefined local variable or method `ssh_crypto' for #<Inspec::Rule:0x000055a69a77af60>
× sshd-15: Server: Specify UseLogin to NO
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:202
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bac7820>
× sshd-16: Server: Use privilege separation
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:211
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bac5cc8>
× sshd-17: Server: Disable PermitUserEnvironment
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:220
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bac4170>
× sshd-18: Server: Specify LoginGraceTime
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:229
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a771d70>
× sshd-19: Server: Specify Limit for maximum authentication retries
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:238
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bad7388>
× sshd-20: Server: Specify maximum sessions
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:249
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bad57b8>
× sshd-21: Server: Specify maximum startups
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:258
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a76b808>
× sshd-22: Server: Enable PubkeyAuthentication
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:267
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a769788>
× sshd-23: Server: Enable IgnoreRhosts
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:276
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bae38b8>
× sshd-24: Server: Enable IgnoreUserKnownHosts
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:285
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bae1d60>
× sshd-25: Server: Disable HostbasedAuthentication
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:294
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bae0208>
× sshd-27: Server: Disable password-based authentication
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:303
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a765548>
× sshd-28: Server: Disable PermitEmptyPasswords
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:312
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69baf2cc8>
× sshd-29: Server: Disable ChallengeResponseAuthentication
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:321
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69baf1170>
× sshd-30: Server: Disable Kerberos
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:330
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a75ecc0>
× sshd-31: Server: Disable Kerberos or Local Password
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:339
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bb03528>
× sshd-32: Server: Enable KerberosTicketCleanup
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:348
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bb019d0>
× sshd-33: Server: Disable GSSAPIAuthentication
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:357
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a757e20>
× sshd-34: Server: Enable GSSAPICleanupCredentials
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:366
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a754d60>
× sshd-35: Server: Disable TCPKeepAlive
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:375
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bb12eb0>
× sshd-36: Server: Set a client alive interval
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:384
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bb11358>
× sshd-37: Server: Configure a few client alive counters
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:393
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a74f518>
× sshd-38: Server: Disable tunnels
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:402
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a74c728>
× sshd-39: Server: Disable TCP forwarding
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:411
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bb1ea80>
× sshd-40: Server: Disable Agent forwarding
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:420
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bb1cf28>
× sshd-41: Server: Disable gateway ports
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:429
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a6d6f50>
× sshd-42: Server: Disable X11Forwarding
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:438
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bb2f1c8>
× sshd-43: Server: Enable X11UseLocalhost
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:447
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bb2d670>
× sshd-44: Server: Disable PrintMotd
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:456
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a50ba18>
× sshd-45: Server: PrintLastLog
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:465
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a5083e0>
× sshd-46: Server: Banner
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:474
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bb3e858>
× sshd-47: Server: DebianBanner
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:483
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69bb3cd00>
× sshd-48: Server: DH primes
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:499
undefined local variable or method `sshd_custom_path' for #<Inspec::Rule:0x000055a69a500820>
✔ sshd-49: Server: CRYPTO_POLICY
✔ Processes sshd -D entries.length is expected to eq 1
✔ Processes sshd -D commands.first is expected not to match /-oCiphers/
✔ Processes sshd -D commands.first is expected not to match /-oKexAlgorithms/
✔ Processes sshd -D commands.first is expected not to match /-oHostKeyAlgorithms/
× sshd-50: Server: RSA HostKey size
× Control Source Code Error /opt/inspec/test/ssh-baseline/controls/sshd_spec.rb:526
undefined local variable or method `sshd_custom_hostkeys_path' for #<Inspec::Rule:0x000055a69a215d68>
Profile Summary: 1 successful control, 48 control failures, 0 controls skipped
Test Summary: 4 successful, 48 failures, 0 skipped
i found issue, but don't know it's relevant? https://stackoverflow.com/questions/58771524/chef-inspec-undefined-local-variable-or-method-aws-region
Don't comment any code you don't know, it just breaks things. :)
This is probably not a problem with the inspec profile but rather with your machine.
Do you have other machines you can test?
Yes, see please, what do you think?
Profile: DevSec SSH Baseline (ssh-baseline)
Version: 2.6.4
Target: ssh://user@xxxx:22
✔ ssh-01: client: Check ssh_config owner, group and permissions.
✔ File /etc/ssh/ssh_config is expected to exist
✔ File /etc/ssh/ssh_config is expected to be file
✔ File /etc/ssh/ssh_config is expected to be owned by "root"
✔ File /etc/ssh/ssh_config is expected to be grouped into "root"
✔ File /etc/ssh/ssh_config is expected not to be executable
✔ File /etc/ssh/ssh_config is expected to be readable by owner
✔ File /etc/ssh/ssh_config is expected to be readable by group
✔ File /etc/ssh/ssh_config is expected to be readable by other
✔ File /etc/ssh/ssh_config is expected to be writable by owner
✔ File /etc/ssh/ssh_config is expected not to be writable by group
✔ File /etc/ssh/ssh_config is expected not to be writable by other
× ssh-02: Client: Specify the AddressFamily to your need
× SSH Configuration AddressFamily is expected to match /inet|inet6|any/
expected nil to match /inet|inet6|any/
× ssh-03: Client: Specify expected ssh port
× SSH Configuration Port is expected to eq "22"
expected: "22"
got: nil
(compared using ==)
↺ ssh-04: Client: Specify protocol version 2
↺ Skipped control due to only_if condition.
× ssh-05: Client: Disable batch mode
× SSH Configuration BatchMode is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× ssh-06: Client: Check Host IPs
× SSH Configuration CheckHostIP is expected to eq "yes"
expected: "yes"
got: nil
(compared using ==)
× ssh-07: Client: Ask when checking host keys
× SSH Configuration StrictHostKeyChecking is expected to match /ask|yes/
expected nil to match /ask|yes/
× ssh-08: Client: Check for secure ssh ciphers
× SSH Configuration Ciphers is expected to eq "aes256-ctr,aes192-ctr,aes128-ctr"
expected: "aes256-ctr,aes192-ctr,aes128-ctr"
got: nil
(compared using ==)
× ssh-09: Client: Check for secure ssh Key-Exchange Algorithm
× SSH Configuration KexAlgorithms is expected to eq "diffie-hellman-group-exchange-sha256"
expected: "diffie-hellman-group-exchange-sha256"
got: nil
(compared using ==)
× ssh-10: Client: Check for secure ssh Message Authentication Codes
× SSH Configuration MACs is expected to eq "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
expected: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
got: nil
(compared using ==)
× ssh-11: Client: Disable agent forwarding
× SSH Configuration ForwardAgent is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× ssh-12: Client: Disable X11Forwarding
× SSH Configuration ForwardX11 is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× ssh-13: Client: Disable HostbasedAuthentication
× SSH Configuration HostbasedAuthentication is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
↺ ssh-14: Client: Disable rhosts-based authentication
↺ Skipped control due to only_if condition.
↺ ssh-15: Client: Enable RSA authentication
↺ Skipped control due to only_if condition.
× ssh-16: Client: Disable password-based authentication
× SSH Configuration PasswordAuthentication is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× ssh-17: Client: Disable GSSAPIAuthentication
× SSH Configuration GSSAPIAuthentication is expected to eq "no"
expected: "no"
got: "yes"
(compared using ==)
× ssh-18: Client: Disable GSSAPIDelegateCredentials
× SSH Configuration GSSAPIDelegateCredentials is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× ssh-19: Client: Disable tunnels
× SSH Configuration Tunnel is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× ssh-20: Client: Do not permit local commands
× SSH Configuration PermitLocalCommand is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
↺ ssh-21: Client: Do not allow Roaming
↺ Skipped control due to only_if condition.
× ssh-22: Client: CRYPTO_POLICY (3 failed)
× Bash command ssh -G localhost stdout is expected to match "ciphers aes256-ctr,aes192-ctr,aes128-ctr"
expected "user nbublikov\nhostname localhost\nport 22\naddressfamily any\nbatchmode no\ncanonicalizefallbacklo...echar ~\nipqos lowdelay throughput\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER\n" to match "ciphers aes256-ctr,aes192-ctr,aes128-ctr"
Diff:
@@ -1,79 +1,157 @@
-ciphers aes256-ctr,aes192-ctr,aes128-ctr
+user nbublikov
+hostname localhost
+port 22
+addressfamily any
+batchmode no
+canonicalizefallbacklocal yes
+canonicalizehostname false
+challengeresponseauthentication yes
+checkhostip yes
+compression no
+controlmaster false
+enablesshkeysign no
+clearallforwardings no
+exitonforwardfailure no
+fingerprinthash SHA256
+forwardx11 no
+forwardx11trusted yes
+gatewayports no
+gssapiauthentication yes
+gssapikeyexchange no
+gssapidelegatecredentials no
+gssapitrustdns no
+gssapirenewalforcesrekey no
+gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
+hashknownhosts yes
+hostbasedauthentication no
+identitiesonly no
+kbdinteractiveauthentication yes
+nohostauthenticationforlocalhost no
+passwordauthentication yes
+permitlocalcommand no
+proxyusefdpass no
+pubkeyauthentication yes
+requesttty auto
+streamlocalbindunlink no
+stricthostkeychecking ask
+tcpkeepalive yes
+tunnel false
+verifyhostkeydns false
+visualhostkey no
+updatehostkeys false
+canonicalizemaxdots 1
+connectionattempts 1
+forwardx11timeout 1200
+numberofpasswordprompts 3
+serveralivecountmax 3
+serveraliveinterval 0
+ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
+hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
+hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
+kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256
+loglevel INFO
+macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
+securitykeyprovider internal
+pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
+xauthlocation /usr/bin/xauth
+identityfile ~/.ssh/id_rsa
+identityfile ~/.ssh/id_dsa
+identityfile ~/.ssh/id_ecdsa
+identityfile ~/.ssh/id_ecdsa_sk
+identityfile ~/.ssh/id_ed25519
+identityfile ~/.ssh/id_ed25519_sk
+identityfile ~/.ssh/id_xmss
+canonicaldomains
+globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
+userknownhostsfile /home/nbublikov/.ssh/known_hosts /home/nbublikov/.ssh/known_hosts2
+sendenv LANG
+sendenv LC_*
+addkeystoagent false
+forwardagent no
+connecttimeout none
+tunneldevice any:any
+controlpersist no
+escapechar ~
+ipqos lowdelay throughput
+rekeylimit 0 0
+streamlocalbindmask 0177
+syslogfacility USER
× Bash command ssh -G localhost stdout is expected to match "kexalgorithms diffie-hellman-group-exchange-sha256"
expected "user nbublikov\nhostname localhost\nport 22\naddressfamily any\nbatchmode no\ncanonicalizefallbacklo...echar ~\nipqos lowdelay throughput\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER\n" to match "kexalgorithms diffie-hellman-group-exchange-sha256"
Diff:
@@ -1,79 +1,157 @@
-kexalgorithms diffie-hellman-group-exchange-sha256
+user nbublikov
+hostname localhost
+port 22
+addressfamily any
+batchmode no
+canonicalizefallbacklocal yes
+canonicalizehostname false
+challengeresponseauthentication yes
+checkhostip yes
+compression no
+controlmaster false
+enablesshkeysign no
+clearallforwardings no
+exitonforwardfailure no
+fingerprinthash SHA256
+forwardx11 no
+forwardx11trusted yes
+gatewayports no
+gssapiauthentication yes
+gssapikeyexchange no
+gssapidelegatecredentials no
+gssapitrustdns no
+gssapirenewalforcesrekey no
+gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
+hashknownhosts yes
+hostbasedauthentication no
+identitiesonly no
+kbdinteractiveauthentication yes
+nohostauthenticationforlocalhost no
+passwordauthentication yes
+permitlocalcommand no
+proxyusefdpass no
+pubkeyauthentication yes
+requesttty auto
+streamlocalbindunlink no
+stricthostkeychecking ask
+tcpkeepalive yes
+tunnel false
+verifyhostkeydns false
+visualhostkey no
+updatehostkeys false
+canonicalizemaxdots 1
+connectionattempts 1
+forwardx11timeout 1200
+numberofpasswordprompts 3
+serveralivecountmax 3
+serveraliveinterval 0
+ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
+hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
+hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
+kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256
+loglevel INFO
+macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
+securitykeyprovider internal
+pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
+xauthlocation /usr/bin/xauth
+identityfile ~/.ssh/id_rsa
+identityfile ~/.ssh/id_dsa
+identityfile ~/.ssh/id_ecdsa
+identityfile ~/.ssh/id_ecdsa_sk
+identityfile ~/.ssh/id_ed25519
+identityfile ~/.ssh/id_ed25519_sk
+identityfile ~/.ssh/id_xmss
+canonicaldomains
+globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
+userknownhostsfile /home/nbublikov/.ssh/known_hosts /home/nbublikov/.ssh/known_hosts2
+sendenv LANG
+sendenv LC_*
+addkeystoagent false
+forwardagent no
+connecttimeout none
+tunneldevice any:any
+controlpersist no
+escapechar ~
+ipqos lowdelay throughput
+rekeylimit 0 0
+streamlocalbindmask 0177
+syslogfacility USER
× Bash command ssh -G localhost stdout is expected to match "macs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
expected "user nbublikov\nhostname localhost\nport 22\naddressfamily any\nbatchmode no\ncanonicalizefallbacklo...echar ~\nipqos lowdelay throughput\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER\n" to match "macs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
Diff:
@@ -1,79 +1,157 @@
-macs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+user nbublikov
+hostname localhost
+port 22
+addressfamily any
+batchmode no
+canonicalizefallbacklocal yes
+canonicalizehostname false
+challengeresponseauthentication yes
+checkhostip yes
+compression no
+controlmaster false
+enablesshkeysign no
+clearallforwardings no
+exitonforwardfailure no
+fingerprinthash SHA256
+forwardx11 no
+forwardx11trusted yes
+gatewayports no
+gssapiauthentication yes
+gssapikeyexchange no
+gssapidelegatecredentials no
+gssapitrustdns no
+gssapirenewalforcesrekey no
+gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
+hashknownhosts yes
+hostbasedauthentication no
+identitiesonly no
+kbdinteractiveauthentication yes
+nohostauthenticationforlocalhost no
+passwordauthentication yes
+permitlocalcommand no
+proxyusefdpass no
+pubkeyauthentication yes
+requesttty auto
+streamlocalbindunlink no
+stricthostkeychecking ask
+tcpkeepalive yes
+tunnel false
+verifyhostkeydns false
+visualhostkey no
+updatehostkeys false
+canonicalizemaxdots 1
+connectionattempts 1
+forwardx11timeout 1200
+numberofpasswordprompts 3
+serveralivecountmax 3
+serveraliveinterval 0
+ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
+hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
+hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
+kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256
+loglevel INFO
+macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
+securitykeyprovider internal
+pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
+xauthlocation /usr/bin/xauth
+identityfile ~/.ssh/id_rsa
+identityfile ~/.ssh/id_dsa
+identityfile ~/.ssh/id_ecdsa
+identityfile ~/.ssh/id_ecdsa_sk
+identityfile ~/.ssh/id_ed25519
+identityfile ~/.ssh/id_ed25519_sk
+identityfile ~/.ssh/id_xmss
+canonicaldomains
+globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
+userknownhostsfile /home/nbublikov/.ssh/known_hosts /home/nbublikov/.ssh/known_hosts2
+sendenv LANG
+sendenv LC_*
+addkeystoagent false
+forwardagent no
+connecttimeout none
+tunneldevice any:any
+controlpersist no
+escapechar ~
+ipqos lowdelay throughput
+rekeylimit 0 0
+streamlocalbindmask 0177
+syslogfacility USER
× sshd-01: Server: Check for secure ssh ciphers
× SSHD Configuration Ciphers is expected to eq "aes256-ctr,aes192-ctr,aes128-ctr"
expected: "aes256-ctr,aes192-ctr,aes128-ctr"
got: nil
(compared using ==)
× sshd-02: Server: Check for secure ssh Key-Exchange Algorithm
× SSHD Configuration KexAlgorithms is expected to eq "diffie-hellman-group-exchange-sha256"
expected: "diffie-hellman-group-exchange-sha256"
got: nil
(compared using ==)
× sshd-03: Server: Check for secure ssh Message Authentication Codes
× SSHD Configuration MACs is expected to eq "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
expected: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
got: nil
(compared using ==)
✔ sshd-04: Server: Check SSH folder owner, group and permissions.
✔ File /etc/ssh is expected to exist
✔ File /etc/ssh is expected to be directory
✔ File /etc/ssh is expected to be owned by "root"
✔ File /etc/ssh is expected to be grouped into "root"
✔ File /etc/ssh is expected to be executable
✔ File /etc/ssh is expected to be readable by owner
✔ File /etc/ssh is expected to be readable by group
✔ File /etc/ssh is expected to be readable by other
✔ File /etc/ssh is expected to be writable by owner
✔ File /etc/ssh is expected not to be writable by group
✔ File /etc/ssh is expected not to be writable by other
× sshd-05: Server: Check sshd_config owner, group and permissions. (2 failed)
✔ File /etc/ssh/sshd_config is expected to exist
✔ File /etc/ssh/sshd_config is expected to be file
✔ File /etc/ssh/sshd_config is expected to be owned by "root"
✔ File /etc/ssh/sshd_config is expected to be grouped into "root"
✔ File /etc/ssh/sshd_config is expected not to be executable
✔ File /etc/ssh/sshd_config is expected to be readable by owner
× File /etc/ssh/sshd_config is expected not to be readable by group
expected File /etc/ssh/sshd_config not to be readable by group
× File /etc/ssh/sshd_config is expected not to be readable by other
expected File /etc/ssh/sshd_config not to be readable by other
✔ File /etc/ssh/sshd_config is expected to be writable by owner
✔ File /etc/ssh/sshd_config is expected not to be writable by group
✔ File /etc/ssh/sshd_config is expected not to be writable by other
✔ sshd-06: Server: Do not permit root-based login or do not allow password and keyboard-interactive authentication
✔ SSHD Configuration PermitRootLogin is expected to match /no|without-password|prohibit-password/
✔ sshd-07: Server: Specify the listen ssh Port
✔ SSHD Configuration Port is expected to eq "22"
✔ sshd-08: Server: Specify the AddressFamily to your need
✔ SSHD Configuration AddressFamily is expected to match /inet|inet6|any/
× sshd-09: Server: Specify ListenAddress (1 failed)
× SSHD Configuration ListenAddress is expected not to eq nil
expected: value != nil
got: nil
(compared using ==)
✔ SSHD Configuration ListenAddress is expected not to match /^\s*$/
✔ SSHD Configuration ListenAddress is expected not to eq []
↺ sshd-10: Server: Specify protocol version 2
↺ Skipped control due to only_if condition.
× sshd-11: Server: Enable StrictModes
× SSHD Configuration StrictModes is expected to eq "yes"
expected: "yes"
got: nil
(compared using ==)
× sshd-12: Server: Specify SyslogFacility to AUTH
× SSHD Configuration SyslogFacility is expected to eq "AUTH"
expected: "AUTH"
got: nil
(compared using ==)
× sshd-13: Server: Specify LogLevel to VERBOSE
× SSHD Configuration LogLevel is expected to eq "VERBOSE"
expected: "VERBOSE"
got: nil
(compared using ==)
× sshd-14: Server: Specify SSH HostKeys
× SSHD Configuration HostKey is expected to cmp == ["/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_ecdsa_key", "/etc/ssh/ssh_host_ed25519_key"]
expected: ["/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_ecdsa_key", "/etc/ssh/ssh_host_ed25519_key"]
got:
(compared using `cmp` matcher)
✔ sshd-15: Server: Specify UseLogin to NO
✔ SSHD Configuration UseLogin is expected to eq nil
× sshd-16: Server: Use privilege separation
× SSHD Configuration UsePrivilegeSeparation is expected to eq "sandbox"
expected: "sandbox"
got: nil
(compared using ==)
× sshd-17: Server: Disable PermitUserEnvironment
× SSHD Configuration PermitUserEnvironment is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× sshd-18: Server: Specify LoginGraceTime
× SSHD Configuration LoginGraceTime is expected to eq "30s"
expected: "30s"
got: nil
(compared using ==)
× sshd-19: Server: Specify Limit for maximum authentication retries
× SSHD Configuration MaxAuthTries is expected to cmp == 2
expected: 2
got:
(compared using `cmp` matcher)
× sshd-20: Server: Specify maximum sessions
× SSHD Configuration MaxSessions is expected to eq "10"
expected: "10"
got: nil
(compared using ==)
× sshd-21: Server: Specify maximum startups
× SSHD Configuration MaxStartups is expected to eq "10:30:60"
expected: "10:30:60"
got: nil
(compared using ==)
× sshd-22: Server: Enable PubkeyAuthentication
× SSHD Configuration PubkeyAuthentication is expected to eq "yes"
expected: "yes"
got: nil
(compared using ==)
× sshd-23: Server: Enable IgnoreRhosts
× SSHD Configuration IgnoreRhosts is expected to eq "yes"
expected: "yes"
got: nil
(compared using ==)
× sshd-24: Server: Enable IgnoreUserKnownHosts
× SSHD Configuration IgnoreUserKnownHosts is expected to eq "yes"
expected: "yes"
got: nil
(compared using ==)
× sshd-25: Server: Disable HostbasedAuthentication
× SSHD Configuration HostbasedAuthentication is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× sshd-27: Server: Disable password-based authentication
× SSHD Configuration PasswordAuthentication is expected to eq "no"
expected: "no"
got: "yes"
(compared using ==)
✔ sshd-28: Server: Disable PermitEmptyPasswords
✔ SSHD Configuration PermitEmptyPasswords is expected to eq "no"
× sshd-29: Server: Disable ChallengeResponseAuthentication
× SSHD Configuration ChallengeResponseAuthentication is expected to eq "no"
expected: "no"
got: "yes"
(compared using ==)
× sshd-30: Server: Disable Kerberos
× SSHD Configuration KerberosAuthentication is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× sshd-31: Server: Disable Kerberos or Local Password
× SSHD Configuration KerberosOrLocalPasswd is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× sshd-32: Server: Enable KerberosTicketCleanup
× SSHD Configuration KerberosTicketCleanup is expected to eq "yes"
expected: "yes"
got: nil
(compared using ==)
× sshd-33: Server: Disable GSSAPIAuthentication
× SSHD Configuration GSSAPIAuthentication is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× sshd-34: Server: Enable GSSAPICleanupCredentials
× SSHD Configuration GSSAPICleanupCredentials is expected to eq "yes"
expected: "yes"
got: nil
(compared using ==)
× sshd-35: Server: Disable TCPKeepAlive
× SSHD Configuration TCPKeepAlive is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× sshd-36: Server: Set a client alive interval
× SSHD Configuration ClientAliveInterval is expected to eq "300"
expected: "300"
got: nil
(compared using ==)
× sshd-37: Server: Configure a few client alive counters
× SSHD Configuration ClientAliveCountMax is expected to eq "3"
expected: "3"
got: nil
(compared using ==)
× sshd-38: Server: Disable tunnels
× SSHD Configuration PermitTunnel is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× sshd-39: Server: Disable TCP forwarding
× SSHD Configuration AllowTcpForwarding is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× sshd-40: Server: Disable Agent forwarding
× SSHD Configuration AllowAgentForwarding is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× sshd-41: Server: Disable gateway ports
× SSHD Configuration GatewayPorts is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× sshd-42: Server: Disable X11Forwarding
× SSHD Configuration X11Forwarding is expected to eq "no"
expected: "no"
got: "yes"
(compared using ==)
× sshd-43: Server: Enable X11UseLocalhost
× SSHD Configuration X11UseLocalhost is expected to eq "yes"
expected: "yes"
got: nil
(compared using ==)
✔ sshd-44: Server: Disable PrintMotd
✔ SSHD Configuration PrintMotd is expected to eq "no"
× sshd-45: Server: PrintLastLog
× SSHD Configuration PrintLastLog is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× sshd-46: Server: Banner
× SSHD Configuration Banner is expected to eq "none"
expected: "none"
got: nil
(compared using ==)
× sshd-47: Server: DebianBanner
× SSHD Configuration DebianBanner is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
✔ sshd-48: Server: DH primes
✔ Bash command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 exit_status is expected to eq 0
✔ Bash command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stdout is expected to eq ""
✔ Bash command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stderr is expected to eq ""
↺ sshd-49: Server: CRYPTO_POLICY
↺ Skipped control due to only_if condition: sshd with options is running
↺ sshd-50: Server: RSA HostKey size
↺ Skipped control due to only_if condition: RSA HostKey is readable
Profile Summary: 9 successful controls, 55 control failures, 7 controls skipped
Test Summary: 42 successful, 58 failures, 7 skipped
you say that "There seems to be a problem with accessing the files" - access for what files inspec need on target ssh server? It is really very important for me to figure it out, since tests should be run on it.
Thank a lot, for you help
access for what files inspec need on target ssh server?
/etc/ssh/ssh_config
/etc/ssh/sshd_config
ok, tell me please. how this access should be configured? what right we should assign to this files?
Is the file you attached the exact content of the cat ? Or does it also contain the cat line ?
There seems to be a malformed sshd_config file as the internal inspec sshd_config method does not detect it correctly.
You also open a similar issue here https://github.com/dev-sec/cis-dil-benchmark/issues/113
Let's solve it there. If we need to fix something on our side, we will port the fix on CIS after.
Is the file you attached the exact content of the cat ? Or does it also contain the cat line ?
It's actual config of ssh server, output of sshd_config
There seems to be a malformed sshd_config file as the internal inspec sshd_config method does not detect it correctly.
You also open a similar issue here dev-sec/cis-dil-benchmark#113
Let's solve it there. If we need to fix something on our side, we will port the fix on CIS after.
Ok! Thanks, lets fix it there
Perhaps, since sshd could be done by our developers
Can you tell me what sshd_config should look like correctly? We would then correct him, if necessary.
Or how i should formulate question for my developers? For sshd fixing, if needed
file.txt it's my sshd_config
Ok, what troubles me is that file.txt starts with inspec> cat /etc/ssh/sshd_config so I don't know if you put that line inadvertently in the file or if it is just that you included the line in the output you copy-pasted.
The internal method not detecting the file paramters is concerning. What is your linux distrib exactly ? You said that it runs an IoT device, perhaps are we in presence of a border effect due to a very peculiar linux distrib.
If it is the case, you should send a reply to this ticket https://github.com/inspec/inspec/issues/4782 explaining the specific OS you are in and help the core team increasing the supported OSes list.
oh, i remove line with cat, it's actual sshd_config sshd_config.txt
Regarding the unusual distribution, you are right. We build a fairly minimalistic file system ourselves using Buildroot.
I try to get some info from our team for this ticket inspec/inspec#4782