X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=dsa-nagios-nrpe-config%2Fweak-ssh-keys-check;h=e35a8a10c96e5f2b069a3b8ad58d88b7d4b02cdf;hb=34816cfa599726fb4d7c33e02091a14b22069312;hp=3e07842a8c2b35f2019a6aad5e589a0522e64bac;hpb=9cfed6df0f0cd449847bd5041afcee634faa57ad;p=mirror%2Fdsa-nagios.git diff --git a/dsa-nagios-nrpe-config/weak-ssh-keys-check b/dsa-nagios-nrpe-config/weak-ssh-keys-check index 3e07842..e35a8a1 100755 --- a/dsa-nagios-nrpe-config/weak-ssh-keys-check +++ b/dsa-nagios-nrpe-config/weak-ssh-keys-check @@ -11,6 +11,8 @@ # # Copyright (c) 2008, Alexander Wirt for check_weakkeys # +# Copyright (c) 2008 Peter Palfrader +# # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. @@ -116,18 +118,20 @@ tie %fpr_hash, 'BerkeleyDB::Btree', my ($weak_keys,$checked_keys) = 0; my $dsa_keys = 0; +my $weird_keyfiles = 0; my $text = ''; my %key_sizes; -&from_user_all; +#&from_user_all; +&from_debianorg_places; &from_ssh_host(qw(localhost)); my $status="OK"; if ($weak_keys) { $status = "CRITICAL"; -} elsif ($dsa_keys && ! $dsa_nowarn) { +} elsif ($dsa_keys && ! $dsa_nowarn || $weird_keyfiles) { $status = "WARNING"; } @@ -194,7 +198,10 @@ sub from_ssh_key_file ($) { my $name = shift; if (open (my $FH, '<', $name)) { my $key = <$FH>; - if ($key =~ m/^ssh-dss/) { + if (! defined $key) { + $weird_keyfiles++; + $text .= "cannot read $name properly - empty?\n"; + } elsif ($key =~ m/ssh-dss/) { $dsa_keys++; $text .= "$name is a DSA key\n"; } @@ -227,8 +234,9 @@ sub from_ssh_auth_file ($) { chomp $line; my $lineno = $.; clear_tmp $tmp; + next if $line =~ m/^$/; # ignore empty lines next if $line =~ m/^#/; # ignore comments - if ($line =~ m/^ssh-dss/) { + if ($line =~ m/ssh-dss/) { $dsa_keys++; $text .= "$name:$lineno is a DSA key\n"; } @@ -252,6 +260,7 @@ sub from_ssh_host (@) { my $tmp = new File::Temp; for my $line (@lines) { next if $line =~ /^#/; + next if $line =~ /^no hostkey alg/; my ($host, $data) = $line =~ /^(\S+) (.*)$/; clear_tmp $tmp; print $tmp "$data\n" or die "print: $!"; @@ -288,3 +297,44 @@ sub from_user_all () { } +sub from_debianorg_places () { + open(F, "/etc/ssh/sshd_config") or die ("Cannot open /etc/ssh/sshd_config: $!\n"); + my @lines = ; + close(F); + + my @ak = grep { /^AuthorizedKeysFile\s/i } @lines; + my @ak2 = grep { /^AuthorizedKeysFile2\s/i } @lines; + + if (scalar @ak != 1) { + print $fh "UNKNOWN\n"; + print $fh "There is more than one AuthorizedKeysFile definition in sshd_config\n"; + exit + } + if (scalar @ak2 != 1) { + print $fh "UNKNOWN\n"; + print $fh "There is more than one AuthorizedKeysFile2 definition in sshd_config\n"; + exit + } + unless ($ak[0] =~ m#^((?i)AuthorizedKeysFile)\s+/etc/ssh/userkeys/%u$# ) { + print $fh "UNKNOWN\n"; + print $fh "The AuthorizedKeysFile definition has an unexpected value. Should be /etc/ssh/userkeys/%u\n"; + exit + } + unless ($ak2[0] =~ m#^((?i)AuthorizedKeysFile2)\s+/var/lib/misc/userkeys/%u$# ) { + print $fh "UNKNOWN\n"; + print $fh "The AuthorizedKeysFile2 definition has an unexpected value. Should be /var/lib/misc/userkeys/%u\n"; + exit + } + + for my $d (qw{/etc/ssh/userkeys /var/lib/misc/userkeys}) { + next unless (-d $d); + opendir(D, $d) or die "Cannot opendir $d: $!\n"; + for my $file (grep { ! -d $d.'/'.$_ } readdir(D)) { + next if ($file eq 'README-DSA-BUILDD'); + my $f = $d.'/'.$file; + from_ssh_key_file $f if -r $f; + }; + }; +} + +