We need to look for two locations, not two directives

[mirror/dsa-nagios.git] / dsa-nagios-checks / share / weak-ssh-keys-check

diff --git a/dsa-nagios-checks/share/weak-ssh-keys-check b/dsa-nagios-checks/share/weak-ssh-keys-check
index e35a8a1..d6d4f8c 100755 (executable)
--- a/dsa-nagios-checks/share/weak-ssh-keys-check
+++ b/dsa-nagios-checks/share/weak-ssh-keys-check
@@ -92,11 +92,13 @@ use IPC::Open3;
 my $fprdb_fname = "/var/lib/dsa/ssh-weak-keys.db" ;
 my ($outfile, $help);
 my $dsa_nowarn = 0;
+my $debian_org = 1;
 
 GetOptions(     'help|h' => \$help, #Help function
                'statusfile|s=s' => \$outfile, 
                'fprdb|f=s' => \$fprdb_fname,
-               'n|dsa_nowarn' => \$dsa_nowarn,  
+               'n|dsa_nowarn' => \$dsa_nowarn,
+               'd|debian-org!' => \$debian_org,
 );
 
 pod2usage(1) if $help;
@@ -123,9 +125,11 @@ my $text = '';
 my %key_sizes;
 
 
-
-#&from_user_all;
-&from_debianorg_places;
+if ($debian_org) {
+       &from_debianorg_places;
+} else {
+       &from_user_all;
+}
 &from_ssh_host(qw(localhost));
 
 my $status="OK";
@@ -198,6 +202,7 @@ sub from_ssh_key_file ($) {
     my $name = shift;
     if (open (my $FH, '<', $name)) {
        my $key = <$FH>; 
+       close($FH);
        if (! defined $key) {
                $weird_keyfiles++;
                $text .= "cannot read $name properly - empty?\n";
@@ -304,23 +309,26 @@ sub from_debianorg_places () {
 
     my @ak = grep { /^AuthorizedKeysFile\s/i } @lines;
     my @ak2 = grep { /^AuthorizedKeysFile2\s/i } @lines;
+    my @ak_files;
 
-    if (scalar @ak != 1) {
-       print $fh "UNKNOWN\n";
-       print $fh "There is more than one AuthorizedKeysFile definition in sshd_config\n";
-       exit
+    for my $line ((@ak, @ak2)) {
+           my @file_locations = split /\s+/, $line;
+           shift @file_locations;
+           push @ak_files, @file_locations;
     }
-    if (scalar @ak2 != 1) {
+
+    if (scalar @ak_files != 2) {
        print $fh "UNKNOWN\n";
-       print $fh "There is more than one AuthorizedKeysFile2 definition in sshd_config\n";
+       print $fh "There should be two locations for User AuthorizedKeysFile defined in sshd_config\n";
        exit
     }
-    unless ($ak[0] =~ m#^((?i)AuthorizedKeysFile)\s+/etc/ssh/userkeys/%u$# ) {
+
+    unless (grep { m#^/etc/ssh/userkeys/%u$# } @ak_files) {
        print $fh "UNKNOWN\n";
        print $fh "The AuthorizedKeysFile definition has an unexpected value.  Should be /etc/ssh/userkeys/%u\n";
        exit
     }
-    unless ($ak2[0] =~ m#^((?i)AuthorizedKeysFile2)\s+/var/lib/misc/userkeys/%u$# ) {
+    unless (grep { m#^/var/lib/misc/userkeys/%u$# } @ak_files) {
        print $fh "UNKNOWN\n";
        print $fh "The AuthorizedKeysFile2 definition has an unexpected value.  Should be /var/lib/misc/userkeys/%u\n";
        exit
@@ -332,7 +340,7 @@ sub from_debianorg_places () {
        for my $file (grep { ! -d $d.'/'.$_ } readdir(D)) {
            next if ($file eq 'README-DSA-BUILDD');
            my $f = $d.'/'.$file;
-           from_ssh_key_file $f if -r $f;
+           from_ssh_auth_file $f if -r $f;
        };
     };
 }