Le mardi 11 août 2009 à 13:26 +0200, Bernd 'Siggy' Brentrup a écrit :
> On Tue, Aug 11, 2009 at 12:20 +0200, Julien Valroff wrote:
> > Le mardi 11 août 2009 à 11:05 +0200, Bernd 'Siggy' Brentrup a écrit :
> > > Hi,
> > >
> > > when looking into this bug I noticed you mention a bogus test:
> > >
> > > permitrootlogin=`cat ${I}/sshd_config | grep "PermitRootLogin" | grep -v
> > > "#"`
> > >
> > > Try the following:
> > > % grep "PermitRootLogin" | grep -v '#' <<EOF
> > > PermitRootLogin no
> > > # PermitRootLogin yes
> > > PermitRootLogin yes # Allow root to login remotely
> > > EOF
> > > PermitRootLogin no
> > > %
> > >
> > > IIRC sshd uses the last occurrence of an option if it is given
> > > multiple times.
> > >
> > > I'd suggest you change your test to
> > > % (cut -d'#' -f 1 | grep PermitRootLogin) <<EOF
> > > PermitRootLogin no
> > > # PermitRootLogin yes
> > > PermitRootLogin yes # Allow root to login remotely
> > > EOF
> > > PermitRootLogin no
> > > PermitRootLogin yes
> > > %
> > >
> >
> > You are right, and this was already fixed in the latest release.
> > The code is now:
> > grep -i '^PermitRootLogin[ =]' ${SSH_CONFIG_FILE} | tail -1
> >
> > Which detects the last option only.
>
> Sorry to say this is still wrong, options are not required to
> start at the beginning of a line, think of Match blocks where
> they are usually indented for better readability.
Yes, I do agree, and will report this upstream.
> IMHO you need a config file parser to analyze sshd_config.
rkhunter would however need a config file parser for all config files it
checks, which is not in the scope of a rootkit scanner.
It would be useful anyway... I guess any help is welcome upstream if you
want to share some ideas ;)
Cheers,
Julien
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]