From b45f51ebd28d645bcd4afb0c02820c01a76b8062 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Mon, 23 Jun 2008 07:19:27 +0000 Subject: [PATCH] [project @ peter@palfrader.org-20080623071927-p39zxuq2sk0enkbv] Do not check homedir keys since they are disabled on debian.org systems - verify that --- dsa-nagios-nrpe-config/weak-ssh-keys-check | 43 +++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/dsa-nagios-nrpe-config/weak-ssh-keys-check b/dsa-nagios-nrpe-config/weak-ssh-keys-check index 68b73b6..25cde53 100755 --- a/dsa-nagios-nrpe-config/weak-ssh-keys-check +++ b/dsa-nagios-nrpe-config/weak-ssh-keys-check @@ -121,7 +121,8 @@ my %key_sizes; -&from_user_all; +#&from_user_all; +&from_debianorg_places; &from_ssh_host(qw(localhost)); my $status="OK"; @@ -290,3 +291,43 @@ sub from_user_all () { } +sub from_debianorg_places () { + open(F, "/etc/ssh/sshd_config") or die ("Cannot open /etc/ssh/sshd_config: $!\n"); + my @lines = ; + close(F); + + my @ak = grep { /^AuthorizedKeysFile\s/i } @lines; + my @ak2 = grep { /^AuthorizedKeysFile2\s/i } @lines; + + if (scalar @ak != 1) { + print $fh "UNKNOWN\n"; + print $fh "There is more than one AuthorizedKeysFile definition in sshd_config\n"; + exit + } + if (scalar @ak2 != 1) { + print $fh "UNKNOWN\n"; + print $fh "There is more than one AuthorizedKeysFile2 definition in sshd_config\n"; + exit + } + unless ($ak[0] =~ m#^((?i)AuthorizedKeysFile)\s+/etc/ssh/userkeys/%u$# ) { + print $fh "UNKNOWN\n"; + print $fh "The AuthorizedKeysFile definition has an unexpected value. Should be /etc/ssh/userkeys/%u\n"; + exit + } + unless ($ak2[0] =~ m#^((?i)AuthorizedKeysFile2)\s+/var/lib/misc/userkeys/%u$# ) { + print $fh "UNKNOWN\n"; + print $fh "The AuthorizedKeysFile2 definition has an unexpected value. Should be /var/lib/misc/userkeys/%u\n"; + exit + } + + for my $d (qw{/etc/ssh/userkeys /var/lib/misc/userkeys}) { + next unless (-d $d); + opendir(D, $d) or die "Cannot opendir $d: $!\n"; + for my $file (grep { $_ ne "." && $_ ne ".." } readdir(D)) { + my $f = $d.'/'.$file; + from_ssh_key_file $f if -r $f; + }; + }; +} + + -- 2.20.1