chriscroome
commented
1 year ago is it looking at order perhaps?
I think that is the issue, I have had to tweak the order of things to get policy audits to pass.
Closed RZR7332 closed 8 months ago
chriscroome
commented
1 year ago is it looking at order perhaps?
I think that is the issue, I have had to tweak the order of things to get policy audits to pass.
RZR7332
commented
1 year ago I think that is the issue, I have had to tweak the order of things to get policy audits to pass.
Would you mind posting the relevant snip of your config? I am also inclined to think it might be order, but I have replicated the config from another system which passes perfectly (also Ubuntu 22.04) - same result. Can't understand what is going on here.
mejofi
commented
1 year ago I ran into this just now, and it was the order of the HostKey statements in our configuration. This passes;
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_keyThis doesn't;
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_keyI am not sure why it wouldn't pass both, but since it doesn't matter in terms of actual security, as far as I know, it is a simple change we can make for the sake of removing an error from the list.
mejofi
commented
1 year ago In case anyone arrives here looking for a resolution for Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match error, and wants to know what changes happened in v3, see the following;
https://github.com/jtesta/ssh-audit/issues/205 https://github.com/jtesta/ssh-audit/issues/203#issuecomment-1704392651
RZR7332
commented
1 year ago I ran into this just now, and it was the order of the
HostKeystatements in our configuration. This passes;HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_keyThis doesn't;
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_keyI am not sure why it wouldn't pass both, but since it doesn't matter in terms of actual security, as far as I know, it is a simple change we can make for the sake of removing an error from the list.
@mejofi thank you, this is indeed the issue. I would never have thought of looking here since this does not actually make logical sense to me.
@jtesta can you provide some insight as to why this configuration or order causes the audit against the hardened profile to fail?
jtesta
commented
8 months ago @RZR7332 : My apologies for the very late response.
It seems that, in your original post, you were running the Hardened OpenSSH Server v8.9 (version 2) policy against an Ubuntu 22.04 target, instead of using the Hardened Ubuntu Server 22.04 LTS (version 5) policy. FYI, the generic OpenSSH policies should only be used against non-Ubuntu targets; the Ubuntu policies have been specifically tuned for that platform.
You are correct that the order of HostKey directives matter. This is simply how the SSH protocol was designed. Furthermore, the order-sensitive processing would allow an admin to give priority over the use of some host keys over others. If you have a different host key priority in your environment, you may want to use a custom policy instead of the built-in policies.
I could be talked into adding a host_keys_order_matters = true|false directive to the custom policies if users would find that useful.
@mejofi : Thanks for help with analyzing this issue!
RZR7332
commented
8 months ago Hello @jtesta
All good, thanks for coming back to me. If memory serves correctly, I don't think the version 5 profile was present in the version I was using at the time (I believe I was receiving the same results with both the Ubuntu specific profile as well as the generic hardened profile).
I am happy to consider this closed and leave this as is - I would rather not deviate from the protocol specification where possible. Will leave this open for a day or two for others to comment but happy to leave it here.
Thanks again for your work and this amazing tool 🚀
jtesta
commented
8 months ago @RZR7332 : Thanks for reporting!
Closing as complete.
Hello Joe,
Before going any further, thank you for this amazing tool - and I am fairly certain the problem is on my side somewhere. For the life of me though, I cannot understand what is happening. If I audit one of my machines (Ubuntu Server 22.04 LTS) against the built-in policy (Hardened OpenSSH Server v8.9 (version 2)), I get the below output:
I understand the first bit is expected as a result of changes in v3; it is the host keys portion which is bothering me. I cannot understand why it is not passing - is it looking at order perhaps? I have followed the guide on the site (https://www.sshaudit.com/hardening_guides.html#ubuntu_22_04_lts), below is my config file:
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com
It gets weirder though, I am certain this was working with the last release (2.9.0), but this exact same config works on another system with the same software and configuration. Where am I going wrong, or what have I done wrong?