Skip to content

Ubuntu 24.04 ssh-checks only checks /etc/ssh/sshd_config and not dropin files in /etc/ssh/sshd_config.d/ #13291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cambid opened this issue Apr 8, 2025 · 2 comments · Fixed by #13499
Closed

Ubuntu 24.04 ssh-checks only checks /etc/ssh/sshd_config and not dropin files in /etc/ssh/sshd_config.d/ #13291

cambid opened this issue Apr 8, 2025 · 2 comments · Fixed by #13499
Labels
triaged Ubuntu Ubuntu product related.

Comments

@cambid
Copy link
Contributor

cambid commented Apr 8, 2025

Description of problem:

The following checks are only checking /etc/ssh/sshd_config and not the dropin files in /etc/ssh/sshd_config.d/ under Ubuntu 24.04:

  • Use Only Strong MACs
  • Use Only Strong Key Exchange algorithms
  • Use Only Strong Ciphers

SCAP Security Guide Version:

Nightly build (2025-04-08)

Operating System Version:

Ubuntu 24.04.

Steps to Reproduce:

  1. Run test against xccdf_org.ssgproject.content_profile_cis_level1_server on a server with Ubuntu 24.04 and note results of the checks
  2. Add the following lines to /etc/ssh/sshd_config.d/00-strong-crypto.conf
KexAlgorithms [email protected],curve25519-sha256,[email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
MACs [email protected],[email protected]
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
  1. Run the test again > still fail
  2. Add the lines at the end of /etc/ssh/sshd_config
  3. Run the test again > pass

Actual Results:

All checks are marked as failed.

Expected Results:

All checks are marked as pass.

Additional Information/Debugging Steps:
@dodys dodys added the Ubuntu Ubuntu product related. label Apr 15, 2025
@mpurg
Copy link
Contributor

mpurg commented Apr 15, 2025

@cambid thanks for pointing this out. Working on a fix.

@dodys dodys added the triaged label Apr 15, 2025
@koffenback
Copy link

@mpurg I've tested the following fix and it works. Note that the following is just an example which represents all of the security policies that leverage a static filepath (e.g., /etc/ssh/sshd_config) instead of loading both the core config file and the files that are stored within the *.d location.

Note that line two is the difference.

OLD
<ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_empty_passwords:obj:1" version="1"> <ind:filepath>/etc/ssh/sshd_config</ind:filepath> <ind:pattern operation="pattern match">^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object>

FIX
<ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_empty_passwords:obj:1" version="1"> <ind:filepath operation="pattern match">^\/etc\/ssh\/sshd_config(?:.d\/.*.conf)?$</ind:filepath> <ind:pattern operation="pattern match">^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object>

@mpurg mpurg mentioned this issue May 26, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged Ubuntu Ubuntu product related.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Extend sshd_use_strong_kex to use distributed configs mpurg/ComplianceAsCode
4 participants
@dodys @cambid @mpurg @koffenback