Werk #14827: Re-work agent plugin for monitoring SSH daemon configuration
|Component||Checks & agents|
|Title||Re-work agent plugin for monitoring SSH daemon configuration|
|Date||Nov 30, 2022|
|Checkmk Editon||Checkmk Raw (CRE)|
|Checkmk Version||2.2.0i1 2.1.0p18 2.0.0p32|
|Compatibility||Incompatible - Manual interaction might be required|
The agent plugin for monitoring the SSH daemon configuration (mk_sshd_config) has been re-worked. The previous version of the plugin used the contents of /etc/ssh/sshd_config to monitor the daemon configuration. This is problematic in multiple ways:
- Include directives, such as Include /etc/ssh/sshd_config.d/*.conf, are not taken into account, resulting in potentially wrong monitoring results.
- Match directives are evaluated incorrectly, leading to monitoring results such as "PasswordAuthentication: noyes".
- Defaults are not taken into account properly. For example, under Ubuntu, the default is that password authentication is enabled if not explictly configured differently.
The re-worked version of the agent plugin reports the effective daemon configuration queried via sshd -T. This evaluates include directives and takes into daemon defaults, but does explicitly not evaluate Match directives. Hence, as an example, even if Checkmk reports that password authentication is off, this does not garantuee that no user can ssh into the system using a password.
This werk is marked as incompatible for two reasons:
- The behavioural changes listed above.
- sshd -T will likely require root permissions to execute successfully. Hence, the new version of the plugin will likely not work on systems where the agent is executed as non-root.
Finally, note that the configuration option ChallengeResponseAuthentication is deprecated and has been replaced with KbdInteractiveAuthentication. If configured to monitor this option, Checkmk now checks for both keys and only alerts if neither of the two is found.