diff options
| author | Michael Boelen <michael.boelen@cisofy.com> | 2018-10-23 18:14:47 +0300 |
|---|---|---|
| committer | Michael Boelen <michael.boelen@cisofy.com> | 2018-10-23 18:14:47 +0300 |
| commit | 5028aa2f70814d7551c6a72575506a3a1658f99d (patch) | |
| tree | 666bc04241299b6b99e11cc5f3b65163727e6917 /include/tests_ssh | |
| parent | 43b8f2a3332ea4cd7d05d829879017b683099344 (diff) | |
Added SSH-7406 to detect OpenSSH version + condition based checking in SSH-7408
Diffstat (limited to 'include/tests_ssh')
| -rw-r--r-- | include/tests_ssh | 44 |
1 files changed, 37 insertions, 7 deletions
diff --git a/include/tests_ssh b/include/tests_ssh index 2cdaa5c6..9b4179fa 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -27,6 +27,9 @@ SSH_DAEMON_PORT="" SSH_DAEMON_RUNNING=0 SSH_DAEMON_OPTIONS_FILE="" + OPENSSHD_VERSION=0 + OPENSSHD_VERSION_MAJOR=0 + OPENSSHD_VERSION_MINOR=0 # ################################################################################# # @@ -90,6 +93,23 @@ # ################################################################################# # + # Test : SSH-7406 + # Description : Check OpenSSH version + if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determine OpenSSH version" + if [ ${SKIPTEST} -eq 0 ]; then + OPENSSHD_VERSION=$(sshd -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d ',') + LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}" + if [ ! -z ${OPENSSHD_VERSION} ]; then + OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $1}') + LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}" + OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $2}') + LogText "Result: OpenSSH minor version: ${OPENSSHD_VERSION_MINOR}" + fi + fi +# +################################################################################# +# # Test : SSH-7408 # Description : Check SSH specific defined options # Notes : Instead of parsing the configuration file, we query the SSH daemon itself @@ -124,20 +144,30 @@ PermitTunnel:NO,,YES:=\ Port:,,22:!\ PrintLastLog:YES,,NO:=\ - Protocol:2,,1:=\ StrictModes:YES,,NO:=\ TCPKeepAlive:NO,,YES:=\ UseDNS:NO,,YES:=\ - UsePrivilegeSeparation:SANDBOX,YES,NO:=\ VerifyReverseMapping:YES,,NO:=\ X11Forwarding:NO,,YES:=\ AllowAgentForwarding:NO,,YES:=" - # Notes - # ========================================================= - # UsePrivilegeSeparation - removed since OpenSSH 7.5 - # - # Disabled MaxStartups:4,8,16:<\ (needs fixing) + + # OpenSSH had some options removed over time. Based on the version we add some additional options to check + if [ ${OPENSSHD_VERSION_MAJOR} -lt 7 ]; then + LogText "Result: added additional options for OpenSSH 6.x and lower" + SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:= Protocol:2,,1:=" + elif [ ${OPENSSHD_VERSION_MAJOR} -eq 7 ]; then + # Protocol 1 support removed (OpenSSH 7.4 and later) + if [ ${OPENSSHD_VERSION_MINOR} -lt 4 ]; then + LogText "Result: added additional options for OpenSSH < 7.4" + SSHOPS="${SSHOPS} Protocol:2,,1:=" + fi + # UsePrivilegedSeparation removed (OpenSSH 7.5 and later) + if [ ${OPENSSHD_VERSION_MINOR} -lt 5 ]; then + LogText "Result: added additional options for OpenSSH < 7.5" + SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:=" + fi + fi # Go through our list of options for I in ${SSHOPS}; do |