Package: lynis
Version: 1.6.4-1
Severity: wishlist
Dear Maintainer,
I've written up a few new tests to extend those available for SSH in
Lynis.
The tests perform the following checks:
1. Verify LoginGraceTime is configured and recommends a shorter on
than the default.
2. Verify that MaxAuthTries is configured in sshd_config and
recommends fewer than the default.
3. Tests to see if DebianBanner is disabled in sshd_config.
4. Tests KexAlgorithms to verify that only those that are
sufficiently secure are enabled.
5. Tests MACs to verify that only those that are
sufficiently secure are enabled.
6. Tests Ciphers to verify that only those that are
sufficiently secure are enabled.
I had the idea for the last three tests after reading the
recommendations to harden SSH on:
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Additionally, a Nessus scan offered two warnings:
1. SSH Weak MAC Algorithms Enabled
2. SSH Server CBC Mode Ciphers Enabled
This inspired me to see if a few changes would improve the security of
the SSH server and from the limited results I detail below, I think you
will agree that these changes were worth doing so I wanted a few tests
for Lynis to make them easier to verify are in place on any systems I
manage.
I tested the settings for KexAlgorithms, MACs and Ciphers on a system
exposed on the internet, where I found that by modifying KexAlgorithms
from the default to what was recommended that the number of attempts to
guess passwords on my system when down by approximately 1/80. Rather
than be able to guess a username & password, the vast majority of
brute-force attempts were denied with a "fatal: Unable to negotiate a
key exchange method" log message. A few made it passed that and were
caught by the MACs or Ciphers options but it drove down the number of
attempts that were seen to fail2ban needed to deal with. So far down
that the attempts did not occur frequently enough to exceed fail2ban's
thresholds.
I also tested connecting to my system with default configurations with
SSH on a Debian host, putty on Windows and Juice SSH on Android. All
were able to connect with the modified KexAlgorithms, MACs and Ciphers.
I was unable to test it with SSH from an Apple host but I don't believe
it should be an issue.
So what do you think, are these tests worth including in tests_ssh for
Lynis?
Thanks,
Dave
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'exp
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
lynis depends on no packages.
Versions of packages lynis recommends:
ii menu 2.1.47
-- no debconf information
--
Dave Vehrs Email: dve...@gmail.com
--- tests_ssh.orig 2015-01-11 14:55:40.483212970 -0700
+++ tests_ssh 2015-02-25 14:03:40.045028207 -0700
@@ -266,6 +266,538 @@
AddHP 0 1
fi
fi
+
+#
+#################################################################################
+#
+ # Test : SSH-####
+ # Description : LoginGraceTime
+ # Goal : LoginGraceTime sets a time limit that the server will wait
+ # for a user to login. Default is 120 seconds. We test to
+ # determine if it is set to default or shorter.
+ # Note : test-no is unassigned and we use a #### to fill the value.
+
+ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SSH-#### --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: LoginGraceTime"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`egrep "^\s*LoginGraceTime" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
+ if [ ! "${FIND}" = "" ]; then
+ if [ ${FIND} -eq 0 ]; then
+ ReportSuggestion ${TEST_NO} "Consider enabling LoginGraceTime in ${SSH_DAEMON_CONFIG}"
+ logtext "Result: LoginGraceTime is disabled"
+ Display --indent 4 --text "- SSH option: LoginGraceTime" --result "Disabled" --color RED
+ AddHP 0 2
+ elif [ ${FIND} -gt 119 ]; then
+ ReportSuggestion ${TEST_NO} "Consider enabling a shorter LoginGraceTime in ${SSH_DAEMON_CONFIG}"
+ logtext "Result: LoginGraceTime is ${FIND} seconds."
+ Display --indent 4 --text "- SSH option: LoginGraceTime" --result "${FIND} seconds" --color YELLOW
+ AddHP 1 2
+ else
+ logtext "Result: LoginGraceTime is ${FIND} seconds."
+ Display --indent 4 --text "- SSH option: LoginGraceTime" --result "${FIND} seconds" --color GREEN
+ AddHP 2 2
+ fi
+ else
+ FIND=`${SSHDBINARY} -T | grep logingracetime | ${AWKBINARY} '{ print $2 }'`
+ ReportSuggestion ${TEST_NO} "Consider enabling a shorter LoginGraceTime in ${SSH_DAEMON_CONFIG}"
+ logtext "Result: LoginGraceTime is ${FIND} seconds by default."
+ Display --indent 4 --text "- SSH option: LoginGraceTime" --result "${FIND} seconds by Default" --color YELLOW
+ AddHP 1 2
+ fi
+ fi
+
+#
+#################################################################################
+#
+ # Test : SSH-####
+ # Description : MaxAuthTries
+ # Goal : MaxAuthTries specifies the maximum number of authentication
+ # attempts permitted per connection. Once the number of
+ # failures reaches half this value, additional failures are
+ # logged. The default is 6.
+ # Note : test-no is unassigned and we use a #### to fill the value.
+
+ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SSH-#### --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: MaxAuthTries"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`egrep "^\s*MaxAuthTries" ${SSH_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }'`
+
+ if [ ! "${FIND}" = "" ]; then
+ if [ ${FIND} -gt 6 ]; then
+ ReportSuggestion ${TEST_NO} "Consider enabling fewer MaxAuthTries in ${SSH_DAEMON_CONFIG}"
+ logtext "Result: MaxAuthTries is ${FIND} attempts."
+ Display --indent 4 --text "- SSH option: MaxAuthTries" --result "${FIND} attempts" --color RED
+ AddHP 0 2
+ elif [ ${FIND} -eq 6 ]; then
+ ReportSuggestion ${TEST_NO} "Consider enabling fewer MaxAuthTries in ${SSH_DAEMON_CONFIG}"
+ logtext "Result: MaxAuthTries is ${FIND} attempts."
+ Display --indent 4 --text "- SSH option: MaxAuthTries" --result "${FIND} attempts" --color YELLOW
+ AddHP 1 2
+ else
+ logtext "Result: MaxAuthTries is ${FIND} attempts."
+ Display --indent 4 --text "- SSH option: MaxAuthTries" --result "${FIND} attempts" --color GREEN
+ AddHP 2 2
+ fi
+ else
+ FIND=`${SSHDBINARY} -T | grep maxauthtries | ${AWKBINARY} '{ print $2 }'`
+ ReportSuggestion ${TEST_NO} "Consider enabling fewer MaxAuthTries in ${SSH_DAEMON_CONFIG}"
+ logtext "Result: MaxAuthTries is ${FIND} attempts by default."
+ Display --indent 4 --text "- SSH option: MaxAuthTries" --result "${FIND} attempts by Default" --color YELLOW
+ AddHP 1 2
+ fi
+ fi
+
+#
+#################################################################################
+#
+ # Test : SSH-####
+ # Description : Debian Banner
+ # Goal : Test to determine if Debian Banner is enabled for display
+ # during protocol handshake.
+ # Note : test-no is unassigned and we use a #### to fill the value.
+ #
+ # DebianBanner does not appear in the output of 'sshd -T',
+ # therefore we need to assume the default enabled state when
+ # it is not expressly configured in ${SSH_DAEMON_CONFIG}
+
+ if [ "${LINUX_VERSION}" = "Debian" -a ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then
+ PREQS_MET="YES"
+ else
+ PREQS_MET="NO"
+ fi
+ Register --test-no SSH-#### --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Debian Banner"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`egrep "^\s*DebianBanner" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
+ if [ ! "${FIND}" = "" ]; then
+ if [ "${FIND}" = "yes" ]; then
+ logtext "Result: DebianBanner is enabled"
+ Display --indent 4 --text "- SSH option: DebianBanner" --result "Enabled" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Add 'DebianBanner no' to ${SSH_DAEMON_CONFIG} to disable distribution specific suffix during protocol handshake."
+ AddHP 0 1
+ elif [ "${FIND}" = "no" ]; then
+ logtext "Result: DebianBanner is disabled"
+ Display --indent 4 --text "- SSH option: DebianBanner" --result "Disabled" --color GREEN
+ AddHP 1 1
+ fi
+ else
+ logtext "Result: DebianBanner is enabled by default."
+ Display --indent 4 --text "- SSH option: DebianBanner" --result "Enabled by Default" --color RED
+ ReportSuggestion ${TEST_NO} "Add 'DebianBanner no' to ${SSH_DAEMON_CONFIG} to disable distribution specific suffix during protocol handshake."
+ AddHP 0 1
+
+ fi
+ fi
+
+#
+#################################################################################
+#
+ # Test : SSH-####
+ # Description : Key Exchange Algorithms
+ # Goal : Test to determine if which key exchange algorithms are
+ # enabled and recommend if any should be disabled.
+ # Note : test-no is unassigned and we use a #### to fill the value.
+ #
+ # Test only displays those key exchange algorithms that are
+ # enabled. Those that are sufficiently secure for a hardened
+ # system are displayed as green, and those that should be
+ # removed are displayed as yellow.
+ #
+ # If KexAlgorithms is not configured in ${SSH_DAEMON_CONFIG},
+ # then this test uses "sshd -T" to get the default
+ # configuration.
+ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SSH-#### --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: KexAlgorithms"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Defaults
+ KEX_SHA1=false
+ KEX_ECDH=false
+ KEX_DHge256=false
+ KEX_Curve25519=false
+
+ FIND=`egrep "^\s*KexAlgorithms" ${SSH_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }'`
+
+ if [ ! "${FIND}" = "" ]; then
+ Display --indent 4 --text "- SSH option: Key Exchange Algorithms (KexAlgorithms)" --result "Configured in ${SSH_DAEMON_CONFIG}" --color GREEN
+ logtext "SSH option: KexAlgorithms is configured in ${SSH_DAEMON_CONFIG}."
+ AddHP 1 1
+ KEX_ALGORITHMS=${FIND}
+ else
+ # if KexAlgorithms is not defined in ${SSH_DAEMON_CONFIG}, then we
+ # can extract the default value from 'sshd -T'
+ Display --indent 4 --text "- SSH option: Key Exchange Algorithms (KexAlgorithms)" --result "Default" --color YELLOW
+ logtext "SSH option: KexAlgorithms is not configured in ${SSH_DAEMON_CONFIG}, default used."
+ AddHP 0 1
+ # KexAlgorithms is lower-case in the output of 'sshd -T'
+ KEX_ALGORITHMS=`${SSHDBINARY} -T | grep kexalgorithms | ${AWKBINARY} '{print $2}'`
+ fi
+
+ OLD_IFS=$IFS
+ IFS=","
+ for line in $KEX_ALGORITHMS; do
+ IFS=${OLD_IFS}
+ case "${line}" in
+ *sha1*)
+ KEX_SHA1=true
+ Display --indent 6 --text "- ${line} " --result "Enabled" --color YELLOW
+ logtext "'${line}' is included in KexAlgorithms, consider removing."
+ AddHP 0 1
+ ;;
+ *ecdh-sha2-nistp*)
+ KEX_ECDH=true
+ Display --indent 6 --text "- ${line}" --result "Enabled" --color YELLOW
+ logtext "'${line}' is included in KexAlgorithms, consider removing."
+ AddHP 0 1
+ ;;
+ *)
+ case "${line}" in
+ curve25519-sha...@libssh.org)
+ KEX_Curve25519=true
+ ;;
+ diffie-hellman-group-exchange-sha256)
+ KEX_DHge256=true
+ ;;
+ esac
+ Display --indent 6 --text "- ${line}" --result "Enabled" --color GREEN
+ logtext "'${line}' is included in KexAlgorithms."
+ AddHP 1 1
+ ;;
+ esac
+ IFS=","
+ done
+ IFS=${OLD_IFS}
+
+ if [ "${KEX_Curve25519}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'curve25519-sha...@libssh.org' Algorithm to KexAlgorithms in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'curve25519-sha...@libssh.org' to KexAlgorithms in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${KEX_DHge256}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'diffie-hellman-group-exchange-sha256' Algorithm to KexAlgorithms in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'diffie-hellman-group-exchange-sha256' to KexAlgorithms in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${KEX_SHA1}" = "true" ]; then
+ ReportSuggestion ${TEST_NO} "Remove SHA1 Algorithms from KexAlgorithms in ${SSH_DAEMON_CONFIG}."
+ fi
+ if [ "${KEX_ECDH}" = "true" ]; then
+ ReportSuggestion ${TEST_NO} "Remove ECDH Curve Algorithms from KexAlgorithms in ${SSH_DAEMON_CONFIG}."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SSH-####
+ # Description : Message Authentication Codes
+ # Goal : Test to determine if which MACs are enabled and recommend if
+ # any should be disabled.
+ # Note : test-no is unassigned and we use a #### to fill the value.
+ #
+ # Test only displays those MACs that are enabled. Those that
+ # are sufficiently secure for a hardened system are displayed
+ # as green, and those that should be removed are displayed as
+ # yellow.
+ #
+ # If MACs is not configured in ${SSH_DAEMON_CONFIG},
+ # then this test uses "sshd -T" to get the default
+ # configuration.
+ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SSH-#### --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: MACs"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Defaults
+ MACS_MD5=false
+ MACS_SHA1=false
+ MACS_UMAC64=false
+ MACS_HMAC_SHA2_512_ETM=false
+ MACS_HMAC_SHA2_256_ETM=false
+ MACS_HMAC_RIPEMD160_ETM=false
+ MACS_UMAC_128_ETM=false
+ MACS_HMAC_SHA2_512=false
+ MACS_HMAC_SHA2_256=false
+ MACS_HMAC_RIPEMD160=false
+ MACS_UMAC_128=false
+
+ FIND=`egrep "^\s*MACs" ${SSH_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }'`
+
+ if [ ! "${FIND}" = "" ]; then
+ Display --indent 4 --text "- SSH option: Message Authentication Codes (MACs)" --result "Configured in ${SSH_DAEMON_CONFIG}" --color GREEN
+ logtext "SSH option: MACs is configured in ${SSH_DAEMON_CONFIG}."
+ AddHP 1 1
+ MACS=${FIND}
+ else
+ # if MACs is not defined in ${SSH_DAEMON_CONFIG}, then we
+ # can extract the default value from 'sshd -T'
+ Display --indent 4 --text "- SSH option: Message Authentication Codes (MACs)" --result "Default" --color YELLOW
+ logtext "SSH option: MACs is not configured in ${SSH_DAEMON_CONFIG}, default used."
+ AddHP 0 1
+ # MACs is lower-case in the output of 'sshd -T'
+ MACS=`${SSHDBINARY} -T | grep macs | ${AWKBINARY} '{print $2}'`
+ fi
+
+ OLD_IFS=$IFS
+ IFS=","
+ for line in ${MACS}; do
+ IFS=${OLD_IFS}
+ case "${line}" in
+ *md5*)
+ MACS_MD5=true
+ Display --indent 6 --text "- ${line} " --result "Enabled" --color YELLOW
+ logtext "'${line}' is included in MACs, consider removing."
+ AddHP 0 1
+ ;;
+ *sha1*)
+ MACS_SHA1=true
+ Display --indent 6 --text "- ${line} " --result "Enabled" --color YELLOW
+ logtext "'${line}' is included in MACs, consider removing."
+ AddHP 0 1
+ ;;
+ *umac-64*)
+ MACS_UMAC64=true
+ Display --indent 6 --text "- ${line}" --result "Enabled" --color YELLOW
+ logtext "'${line}' is included in MACs, consider removing."
+ AddHP 0 1
+ ;;
+ *)
+ case "${line}" in
+ hmac-sha2-512-...@openssh.com)
+ MACS_HMAC_SHA2_512_ETM=true
+ ;;
+ hmac-sha2-256-...@openssh.com)
+ MACS_HMAC_SHA2_256_ETM=true
+ ;;
+ hmac-ripemd160-...@openssh.com)
+ MACS_HMAC_RIPEMD160_ETM=true
+ ;;
+ umac-128-...@openssh.com)
+ MACS_UMAC_128_ETM=true
+ ;;
+ hmac-sha2-512)
+ MACS_HMAC_SHA2_512=true
+ ;;
+ hmac-sha2-256)
+ MACS_HMAC_SHA2_256=true
+ ;;
+ hmac-ripemd160)
+ MACS_HMAC_RIPEMD160=true
+ ;;
+ umac-...@openssh.com)
+ MACS_UMAC_128=true
+ ;;
+ esac
+ Display --indent 6 --text "- ${line}" --result "Enabled" --color GREEN
+ logtext "'${line}' is included in MACs."
+ AddHP 1 1
+ ;;
+ esac
+ IFS=","
+ done
+ IFS=${OLD_IFS}
+
+ if [ "${MACS_HMAC_SHA2_512_ETM}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'hmac-sha2-512-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'hmac-sha2-512-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${MACS_HMAC_SHA2_256_ETM}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'hmac-sha2-256-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'hmac-sha2-256-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${MACS_HMAC_RIPEMD160_ETM}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'hmac-ripemd160-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'hmac-ripemd160-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${MACS_UMAC_128_ETM}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'umac-128-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'umac-128-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${MACS_HMAC_SHA2_512}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'hmac-sha2-512' to MACs in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'hmac-sha2-512' to MACs in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${MACS_HMAC_SHA2_256}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'hmac-sha2-256' to MACs in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'hmac-sha2-256' to MACs in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${MACS_HMAC_RIPEMD160}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'hmac-ripemd160' to MACs in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'hmac-ripemd160' to MACs in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${MACS_UMAC_128}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'umac-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'umac-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+
+
+ if [ "${MACS_MD5}" = "true" ]; then
+ ReportSuggestion ${TEST_NO} "Remove MD5 Algorithms from MACs in ${SSH_DAEMON_CONFIG}."
+ fi
+ if [ "${MACS_SHA1}" = "true" ]; then
+ ReportSuggestion ${TEST_NO} "Remove SHA1 Algorithms from MACs in ${SSH_DAEMON_CONFIG}."
+ fi
+ if [ "${MACS_UMAC64}" = "true" ]; then
+ ReportSuggestion ${TEST_NO} "Remove 'umac-64' Algorithms from MACs in ${SSH_DAEMON_CONFIG}."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SSH-####
+ # Description : Ciphers
+ # Goal : Test to determine if which ciphers are enabled and recommend if
+ # any should be disabled.
+ # Note : test-no is unassigned and we use a #### to fill the value.
+ #
+ # Test only displays those ciphers that are enabled. Those that
+ # are sufficiently secure for a hardened system are displayed
+ # as green, and those that should be removed are displayed as
+ # yellow.
+ #
+ # If Ciphers is not configured in ${SSH_DAEMON_CONFIG},
+ # then this test uses "sshd -T" to get the default
+ # configuration.
+ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SSH-#### --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Ciphers"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Defaults
+ CIPHER_ARCFOUR=false
+ CIPHER_CAST=false
+ CIPHER_CBC=false
+ CIPHER_DES=false
+
+ CIPHER_CHACHA20_POLY1305=false
+ CIPHER_AES256_GCM=false
+ CIPHER_AES128_GCM=false
+ CIPHER_AES256_CTR=false
+ CIPHER_AES192_CTR=false
+ CIPHER_AES128_CTR=false
+
+ FIND=`egrep "^\s*Ciphers" ${SSH_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }'`
+
+ if [ ! "${FIND}" = "" ]; then
+ Display --indent 4 --text "- SSH option: Ciphers" --result "Configured in ${SSH_DAEMON_CONFIG}" --color GREEN
+ logtext "SSH option: Ciphers is configured in ${SSH_DAEMON_CONFIG}."
+ AddHP 1 1
+ CIPHERS=${FIND}
+ else
+ # if Ciphers is not defined in ${SSH_DAEMON_CONFIG}, then we
+ # can extract the default value from 'sshd -T'
+ Display --indent 4 --text "- SSH option: Ciphers" --result "Default" --color YELLOW
+ logtext "SSH option: Ciphers is not configured in ${SSH_DAEMON_CONFIG}, default used."
+ AddHP 0 1
+ # Ciphers is lower-case in the output of 'sshd -T'
+ CIPHERS=`${SSHDBINARY} -T | grep ciphers | ${AWKBINARY} '{print $2}'`
+ fi
+
+ OLD_IFS=$IFS
+ IFS=","
+ for line in ${CIPHERS}; do
+ IFS=${OLD_IFS}
+ case "${line}" in
+ arcfour*)
+ CIPHER_ARCFOUR=true
+ Display --indent 6 --text "- ${line} " --result "Enabled" --color YELLOW
+ logtext "'${line}' is included in Ciphers, consider removing."
+ AddHP 0 1
+ ;;
+ cast128-cbc)
+ CIPHER_CAST=true
+ Display --indent 6 --text "- ${line}" --result "Enabled" --color YELLOW
+ logtext "'${line}' is included in Ciphers, consider removing."
+ AddHP 0 1
+ ;;
+ 3des-cbc)
+ CIPHER_DES=true
+ Display --indent 6 --text "- ${line} " --result "Enabled" --color YELLOW
+ logtext "'${line}' is included in Ciphers, consider removing."
+ AddHP 0 1
+ ;;
+ *-cbc)
+ CIPHER_CBC=true
+ Display --indent 6 --text "- ${line} " --result "Enabled" --color YELLOW
+ logtext "'${line}' is included in Ciphers, consider removing."
+ AddHP 0 1
+ ;;
+ *)
+ case "${line}" in
+ chacha20-poly1...@openssh.com)
+ CIPHER_CHACHA20_POLY1305=true
+ ;;
+ aes256-...@openssh.com)
+ CIPHER_AES256_GCM=true
+ ;;
+ aes128-...@openssh.com)
+ CIPHER_AES128_GCM=true
+ ;;
+ aes256-ctr)
+ CIPHER_AES256_CTR=true
+ ;;
+ aes192-ctr)
+ CIPHER_AES192_CTR=true
+ ;;
+ aes128-ctr)
+ CIPHER_AES128_CTR=true
+ ;;
+ esac
+ Display --indent 6 --text "- ${line}" --result "Enabled" --color GREEN
+ logtext "'${line}' is included in Ciphers."
+ AddHP 1 1
+ ;;
+ esac
+ IFS=","
+ done
+ IFS=${OLD_IFS}
+
+ if [ "${CIPHER_CHACHA20_POLY1305}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'chacha20-poly1...@openssh.com' to Ciphers in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'chacha20-poly1...@openssh.com' to Ciphers in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${CIPHER_AES256_GCM}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'aes256-...@openssh.com' to Ciphers in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'aes256-...@openssh.com' to Ciphers in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${CIPHER_AES128_GCM}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'aes128-...@openssh.com' to Ciphers in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'aes128-...@openssh.com' to Ciphers in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${CIPHER_AES256_CTR}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'aes256-ctr' to Ciphers in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'aes256-ctr' to Ciphers in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${CIPHER_AES192_CTR}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'aes192-ctr' to Ciphers in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'aes192-ctr' to Ciphers in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+ if [ "${CIPHER_AES128_CTR}" = "false" ]; then
+ ReportSuggestion ${TEST_NO} "Add 'aes128-ctr' to Ciphers in ${SSH_DAEMON_CONFIG}."
+ logtext "Consider adding 'aes128-ctr' to Ciphers in ${SSH_DAEMON_CONFIG}"
+ AddHP 0 1
+ fi
+
+
+ if [ "${CIPHER_ARCFOUR}" = "true" ]; then
+ ReportSuggestion ${TEST_NO} "Remove RC4 ('arcfour') algorithms from Ciphers in ${SSH_DAEMON_CONFIG}."
+ fi
+ if [ "${CIPHER_CAST}" = "true" ]; then
+ ReportSuggestion ${TEST_NO} "Remove 'cast128-cbc' from Ciphers in ${SSH_DAEMON_CONFIG}."
+ fi
+ if [ "${CIPHER_CBC}" = "true" ]; then
+ ReportSuggestion ${TEST_NO} "Prefer CTR over CBC, remove CBC algorithms from Ciphers in ${SSH_DAEMON_CONFIG}."
+ fi
+ if [ "${CIPHER_DES}" = "true" ]; then
+ ReportSuggestion ${TEST_NO} "Remove '3des-cbc' from Ciphers in ${SSH_DAEMON_CONFIG}."
+ fi
+ fi
#
#################################################################################
#
