Giters

mondoohq / cnquery

open source, cloud-native, graph-based asset inventory

Home Page:https://cnquery.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

:bug: RHEL systems using global `crypto-policies`, `sshd.config` ignores override configuration

mm-weber opened this issue · comments

commented

Describe the bug
The sshd.config resource parses all relevant .conf files in
/etc/ssh/sshd_config.d/ and /etc/ssh/sshd_conf and follows any include directives found in those paths to gather data.

All systems usings RHEL's global crypto-policy employ the following mechanism (same source) to override crypto-policies set globally for ssh:

image

This is currently ignored by the sshd.config resource and leads to faulty results.

To Reproduce
Steps to reproduce the behavior:

  1. On Rocky Linux 9 set the global crypto policy to FUTURE
update-crypto-policies --set FUTURE

then reboot and check the sshd.config.kexs:

cnspec> sshd.config.kexs
cnspec> sshd.config.kexs
sshd.config.kexs: [
  0: "curve25519-sha256"
  1: "curve25519-sha256@libssh.org"
  2: "ecdh-sha2-nistp256"
  3: "ecdh-sha2-nistp384"
  4: "ecdh-sha2-nistp521"
  5: "diffie-hellman-group-exchange-sha256"
  6: "diffie-hellman-group16-sha512"
  7: "diffie-hellman-group18-sha512"
]

-> This command changes the Kex policies in the included file /etc/crypto-policies/back-ends/opensshserver.config

  1. Now use the override mechanism described above and create the file /etc/ssh/sshd_config.d/49-crypto-policy-override.conf with the following content:
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512
  1. Then run the again in cnspec
sshd.config.kexs

image

-> The result of the override file is added to the result found in the file /etc/crypto-policies/back-ends/opensshserver.config, which is included via the directive 50-redhat.conf.

Expected behavior

If there is a file with a prefix smaller than 50 in the folder /etc/ssh/sshd_config.d, eg. 49-overide.conf, then the params (eg. KexAlgorithms) found there need to override the params in the resource sshd.conf.

Desktop (please complete the following information):

NAME="Rocky Linux"
VERSION="9.3 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"

Additional context
Add any other context about the problem here.

commented

i'm not able to reproduce this:

[root@localhost vagrant]# cat /etc/ssh/sshd_config.d/49-crypto-policy-override.conf
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512
[root@localhost vagrant]# ./cnspec run local -c 'sshd.config.kexs'
→ no Mondoo configuration file provided, using defaults
sshd.config.kexs: [
  0: "sntrup761x25519-sha512@openssh.com"
  1: "curve25519-sha256@libssh.org"
  2: "diffie-hellman-group18-sha512"
]
[root@localhost vagrant]# rm /etc/ssh/sshd_config.d/49-crypto-policy-override.conf
rm: remove regular file '/etc/ssh/sshd_config.d/49-crypto-policy-override.conf'? y
[root@localhost vagrant]# ./cnspec run local -c 'sshd.config.kexs'
→ no Mondoo configuration file provided, using defaults
sshd.config.kexs: [
  0: "curve25519-sha256"
  1: "curve25519-sha256@libssh.org"
  2: "ecdh-sha2-nistp256"
  3: "ecdh-sha2-nistp384"
  4: "ecdh-sha2-nistp521"
  5: "diffie-hellman-group-exchange-sha256"
  6: "diffie-hellman-group16-sha512"
  7: "diffie-hellman-group18-sha512"
]