On 10/4/13 3:52 AM, Rui Pedro Bernardino wrote:
Hi,
I have exactly the same results but that’s not the point. This is what I get on
a system without a ‘Banner’ but with a 'Match' group:
[root@seis64 ~]# ssh localhost
root@localhost's password:
[root@seis64 ~]# sshd_enable_warning_banner.sh
[root@seis64 ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@seis64 ~]# ssh localhost
root@localhost's password:
Still no banner.
This is because the ‘Banner’ was appended to the end of sshd_config and got
‘absorved’ by the Match rules (that use anything following 'Match' until EOF or
another 'Match'):
[root@seis64 ~]# tail -5 /etc/ssh/sshd_config
# Rules for sftponly group
Match group sftponly
X11Forwarding no
AllowTcpForwarding no
Banner /etc/issue
This applies to all SSG's sshd_config fixes. Note not all configuration
primitives are acceptable on the “Match” blocks, meaning starting sshd will
fail.
Bottom line, new primitives must be inserted*before* Match blocks.
Ah, yes, I see what you're talking about now. How's this?
# Attempt to adjust value, should string be present
grep -q ^PermitEmptyPasswords /etc/ssh/sshd_config && \
sed -i "s/PermitEmptyPasswords.*/PermitEmptyPasswords no/g"
/etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
# string not present, check for Match stanza
grep -q ^Match /etc/ssh/sshd_config && \
sed '0,/.*Match.*/s/.*Match*./PermitEmptyPasswords
no\n&/' /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
# Match stanza not present, add to bottom of
/etc/ssh/sshd_config
echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config
fi
fi
.... there has to be some easier / less fugly way through sed or awk...
anyone?
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
