Le mardi 11 août 2009 à 13:26 +0200, Bernd 'Siggy' Brentrup a écrit :
> On Tue, Aug 11, 2009 at 12:20 +0200, Julien Valroff wrote:
> > Le mardi 11 août 2009 à 11:05 +0200, Bernd 'Siggy' Brentrup a écrit :
> > > Hi,
> > > 
> > > when looking into this bug I noticed you mention a bogus test:
> > > 
> > > permitrootlogin=`cat ${I}/sshd_config | grep "PermitRootLogin" | grep -v 
> > > "#"`
> > > 
> > > Try the following:
> > > % grep "PermitRootLogin" | grep -v '#' <<EOF
> > > PermitRootLogin no 
> > > # PermitRootLogin yes
> > > PermitRootLogin yes # Allow root to login remotely
> > > EOF
> > > PermitRootLogin no
> > > % 
> > > 
> > > IIRC sshd uses the last occurrence of an option if it is given
> > > multiple times.
> > > 
> > > I'd suggest you change your test to
> > > % (cut -d'#' -f 1 | grep PermitRootLogin) <<EOF 
> > > PermitRootLogin no
> > > # PermitRootLogin yes
> > > PermitRootLogin yes # Allow root to login remotely
> > > EOF
> > > PermitRootLogin no
> > > PermitRootLogin yes 
> > > % 
> > > 
> > 
> > You are right, and this was already fixed in the latest release.
> > The code is now:
> > grep -i '^PermitRootLogin[   =]' ${SSH_CONFIG_FILE} | tail -1
> > 
> > Which detects the last option only.
> 
> Sorry to say this is still wrong, options are not required to
> start at the beginning of a line, think of Match blocks where
> they are usually indented for better readability.

Yes, I do agree, and will report this upstream.

> IMHO you need a config file parser to analyze sshd_config.

rkhunter would however need a config file parser for all config files it
checks, which is not in the scope of a rootkit scanner.
It would be useful anyway... I guess any help is welcome upstream if you
want to share some ideas ;)

Cheers,
Julien




--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to