ssh-baseline icon indicating copy to clipboard operation
ssh-baseline copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

incorrect detection with multiple identical keys

Open RiseAndCry opened this issue 8 months ago • 1 comments

Description

Hi, i've noticed that the sshd detection is faulty (even if configuration is correct):

Image

this is most likely due to having 2 identical keys in sshd config (global and match block): PasswordAuthentication no and

# SFTP matching configuration
# ===========================
# Configuration, in case SFTP is used
# override default of no subsystems
# Subsystem sftp /opt/app/openssh5/libexec/sftp-server

Subsystem sftp internal-sftp -l INFO -f LOCAL6 -u 0027

# These lines must appear at the *end* of sshd_config
Match Group sftponly
    ForceCommand internal-sftp -l INFO -f LOCAL6 -u 0027
    ChrootDirectory /home/%u
    AllowTcpForwarding no
    AllowAgentForwarding no
    PasswordAuthentication no
    PermitRootLogin no
    X11Forwarding no

And this issue repeats for other settings as well (AllowTcpForwarding, X11Forwarding, etc).

Reproduction steps

  1. create an ansible playbook (harden.yml):
- hosts: localhost
  become: true
  collections:
    - devsec.hardening
  roles:
    - ssh_hardening
  1. ansible-playbook harden.yml --become-method=sudo
  2. sudo inspec exec https://github.com/dev-sec/ssh-baseline

Current Behavior

sshd-27: Server: Disable password-based authentication
     ×  SSHD Configuration PasswordAuthentication is expected to eq "no"
     
     expected: "no"
          got: ["no", "no"]
     
     (compared using ==)

Expected Behavior

sshd-27: Server: Disable password-based authentication
     ✔  SSHD Configuration PasswordAuthentication is expected to eq "no"

maybe detect match block in addition ?

OS / Environment

Ubuntu 24.04.2

Inspec Version

6.8.24

Baseline Version

2.8.1

Additional information

No response

RiseAndCry avatar Mar 06 '25 09:03 RiseAndCry

@RiseAndCry thanks for reporting this problem! After some checking this seems more like a bug for the inspec resource sshd_config (https://docs.chef.io/inspec/resources/sshd_config/).

At first I was a bit concerned, since we also use this baseline for testing our Ansible collection, but then I doscovered that we disable the sftp part for the tests and thus also do not trigger this duplcate definition problem.

I think the right place to fix this is in inspec. However I also think it might be a good idea to adapt our baseline so it deals with multiple Match blocks and thus multiple matching config lines.

schurzi avatar Mar 08 '25 20:03 schurzi