#!/bin/ksh # $Id: ssh,v 1.6 2008/10/26 18:53:16 ksb Exp $ # We're a netlint plugin that records SSH-related information. (petef,ksb) #****p* netlint/ssh # NAME # ssh # DESCRIPTION # The configuration of ssh and sshd is critical to the software update # processes we use and our access to the host. Netlint checks some of the # configuration of ssh and sshd to assure we can access the host. #*** PROGNAME=`basename $0` : ${CARP:=echo} export CARP if [ _"$1" = _"-V" ]; then echo "$PROGNAME: "'$Id: ssh,v 1.6 2008/10/26 18:53:16 ksb Exp $' exit 0 fi : ${SSHDIR:=/etc/ssh} if [ -d "$SSHDIR" ]; then : elif [ -f /etc/ssh_host_key ]; then SSHDIR="/etc" elif [ -f /usr/local/etc/ssh_host_key ]; then SSHDIR="/usr/local/etc" elif [ -d /usr/local/etc/ssh ]; then SSHDIR="/usr/local/etc/ssh" fi export SSHDIR #****a* ssh/SSH_MISSING # NAME # SSH_MISSING # FORMAT # SSH_MISSING: file # DESCRIPTION # Netlint believes the named file is critical to ssh or sshd. # REMEDIATION # Install the missing files or directories. #*** cd $SSHDIR 2>/dev/null || { ${CARP} "SSH_MISSING: $SSHDIR" exit 0 } #****a* ssh/SSH_KEY # NAME # SSH_KEY # FORMAT # SSH_KEY: type hash # DESCRIPTION # Netlint reports the finger-print hash of the public keys for all the ssh # host keys. These are compared to the previous report's values to see if any # keys have changed. # IMPACT # Some site policy might be used here, and it is not. Ssh host key changes # are bad enough that one should be warned about them. # # When an ssh host key changes it must be updated in many place: # * Every Admin's known_hosts # * mtp's known_hosts on paragon.sac # * acct's known_hosts on adm4.sac # * root's known_hosts on svr6.sac # * sample's known_hosts on for peg # * log's known_hosts on log1.sac, log2.sac, logtest1.sac # * many other pseudo-logins accounts # # Otherwise, those facilities will just report an error ("host key changed") # and not function. # REMEDIATION # Restore the keys file, and, for sure, trace down how they got changed! # (Maybe not in that order.) #*** xapply 'if [ ! -f "%1" ]; then ${CARP} "SSH_MISSING: $SSHDIR/%1" exit 0 fi PRINT=`ssh-keygen -l -f %1 2>/dev/null | grep "^[0-9]" | xapply -nf "%%[1 1] %%[1 2]" -` ${CARP} "SSH_KEY: %1 $PRINT" ' ssh_host_dsa_key.pub ssh_host_key.pub ssh_host_rsa_key.pub #****a* ssh/SSH_RANDOM_MISSING # NAME # SSH_RANDOM_MISSING # FORMAT # SSH_RANDOM_MISSING: path how # DESCRIPTION # /dev/random cannot be accessed. # IMPACT # Netlint reports on the status of /dev/random because # the ssh client program fails if there is not sufficient entropy on the # system (as does SSL/TLS). # SEE ALSO # SSH_RANDOM_FIFO # SSH_RANDOM_LINK #*** #****a* ssh/SSH_RANDOM_LINK # NAME # SSH_RANDOM_LINK # FORMAT # SSH_RANDOM_LINK: path is a link # DESCRIPTION # /dev/random is a FIFO. # SEE ALSO # SSH_RANDOM_MISSING #*** #****a* ssh/SSH_RANDOM_FIFO # NAME # SSH_RANDOM_FIFO # FORMAT # SSH_RANDOM_FIFO: path is a FIFO # DESCRIPTION # /dev/random is a FIFO. # SEE ALSO # SSH_RANDOM_MISSING #*** # if /dev/random isn't good enough, we'll get "PRNG not seeded" and not be # able to initiate (or maybe receive) any ssl- or ssh- related connections if [ -p /dev/random ]; then ${CARP} "SSH_RANDOM_FIFO: /dev/random is a FIFO" elif [ -h /dev/random ]; then ${CARP} "SSH_RANDOM_LINK: /dev/random is a link" elif [ ! -r /dev/random ]; then ${CARP} "SSH_RANDOM_MISSING: /dev/random is not readable" fi #****a* ssh/SSH_VERSION # NAME # SSH_VERSION # FORMAT # SSH_VERSION: part version # DESCRIPTION # The versions of some aspects of ssh or the underlying operating system # might be reported via this attribute. For example the version of the # SUNWski package on Solaris 7 is very important at some sites. #*** if [ -x /usr/bin/pkginfo ]; then SKIVER=`pkginfo -l SUNWski 2>/dev/null | sed -n -e 's,^ *VERSION:[ ]*,,p'` [ -z "$SKIVER" ] || ${CARP} "SSH_VERSION: SUNWski $SKIVER" fi exit 0