Werk #14827: Re-work agent plugin for monitoring SSH daemon configuration

Component Checks & agents
Title Re-work agent plugin for monitoring SSH daemon configuration
Date Nov 30, 2022
Checkmk Editon Checkmk Raw (CRE)
Checkmk Version 2.2.0i1 2.1.0p18 2.0.0p32
Level Trivial Change
Class Bug Fix
Compatibility Incompatible - Manual interaction might be required

The agent plugin for monitoring the SSH daemon configuration (mk_sshd_config) has been re-worked. The previous version of the plugin used the contents of /etc/ssh/sshd_config to monitor the daemon configuration. This is problematic in multiple ways:

  • Include directives, such as Include /etc/ssh/sshd_config.d/*.conf, are not taken into account, resulting in potentially wrong monitoring results.
  • Match directives are evaluated incorrectly, leading to monitoring results such as "PasswordAuthentication: noyes".
  • Defaults are not taken into account properly. For example, under Ubuntu, the default is that password authentication is enabled if not explictly configured differently.

The re-worked version of the agent plugin reports the effective daemon configuration queried via sshd -T. This evaluates include directives and takes into daemon defaults, but does explicitly not evaluate Match directives. Hence, as an example, even if Checkmk reports that password authentication is off, this does not garantuee that no user can ssh into the system using a password.

This werk is marked as incompatible for two reasons:

  • The behavioural changes listed above.
  • sshd -T will likely require root permissions to execute successfully. Hence, the new version of the plugin will likely not work on systems where the agent is executed as non-root.

Finally, note that the configuration option ChallengeResponseAuthentication is deprecated and has been replaced with KbdInteractiveAuthentication. If configured to monitor this option, Checkmk now checks for both keys and only alerts if neither of the two is found.

To the list of all Werks