Werk #14827: mk_sshd_config: Monitor effective SSH daemon configuration

Component Checks & agents
Title mk_sshd_config: Monitor effective SSH daemon configuration
Date Nov 30, 2022
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 2.0.0p32 2.1.0p18 2.2.0b1
Level Trivial Change
Class Bug Fix
Compatibility Incompatible - Manual interaction might be required

This change only affects you in case you use the agent plugin mk_sshd_config for monitoring the SSH daemon configuration of your Linux systems.

mk_sshd_config has been re-worked. The previous version of the plugin used the contents of /etc/ssh/sshd_config to monitor the daemon configuration. This is problematic in multiple ways:

  • Include directives, such as Include /etc/ssh/sshd_config.d/*.conf, are not taken into account, resulting in potentially wrong monitoring results.
  • Match directives are evaluated incorrectly, leading to monitoring results such as "PasswordAuthentication: noyes".
  • Defaults are not taken into account properly. For example, under Ubuntu, the default is that password authentication is enabled if not explictly configured differently.

The re-worked version of the agent plugin reports the effective daemon configuration queried via sshd -T. This evaluates include directives and takes into daemon defaults, but does explicitly not evaluate Match directives. Hence, as an example, even if Checkmk reports that password authentication is off, this does not garantuee that no user can ssh into the system using a password.

This werk is marked as incompatible for two reasons:

  • The behavioural changes listed above.
  • sshd -T will likely require root permissions to execute successfully. Hence, the new version of the plugin will likely not work on systems where the agent is executed as non-root. In this case, the user under which the agent is running must be granted the necessary permissions (eg. read access to the private host keys). If this is not an option, mk_sshd_config can unfortunately not be used any longer on such systems.

Finally, note that the configuration option ChallengeResponseAuthentication is deprecated and has been replaced with KbdInteractiveAuthentication. If configured to monitor this option, Checkmk now checks for both keys and only alerts if neither of the two is found.

To the list of all Werks