0

I'm getting a warning from rkhunter, even though the sshd and rkhunter options for root login are both set to "no". Running Centos 7.6.1810 with rkhunter 1.4.6.

Here are grep results which verify that the sshd and rkhunter config settings are both set to "no":

$grep PermitRootLogin /etc/ssh/sshd_config  
PermitRootLogin no

$grep ALLOW_SSH_ROOT_USER /etc/rkhunter.conf    
ALLOW_SSH_ROOT_USER=no

For clarity, note that the protocol options are set as follows:

$grep Protocol /etc/ssh/sshd_config
Protocol 2

$grep ALLOW_SSH_PROT_V1 /etc/rkhunter.conf
ALLOW_SSH_PROT_V1=0

The rkhunter log clearly shows that sshd and rkhunter config are both set to indicate no root login, yet I get a warning about ssh root access:

[13:43:33] Info: Using configuration file '/etc/rkhunter.conf'

[13:48:21] Info: Starting test name 'system_configs_ssh'  
[13:48:21]   Checking for an SSH configuration file          [ Found ]  
[13:48:21] Info: Found an SSH configuration file: /etc/ssh/sshd_config  
[13:48:21] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.  
[13:48:21] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.  
[13:48:21]   Checking if SSH root access is allowed          [ Warning ]  
[13:48:21] Warning: The SSH and rkhunter configuration options should be the same:  
[13:48:21]          SSH configuration option 'PermitRootLogin': no  
[13:48:21]          Rkhunter configuration option   'ALLOW_SSH_ROOT_USER': no  
[13:48:21]   Checking if SSH protocol v1 is allowed          [ Not allowed ]  
[13:48:21]   Checking for other suspicious configuration settings [ None found ]

Similarly, the email I receive from rkhunter gives me a warning, yet it also confirms that the settings are already the same:

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': no
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

----------------------- End Rootkit Hunter Scan -----------------------

Any ideas of what is causing this rkhunter warning and how to fix it??

r.j.bumble
  • 11
  • 2
  • did you change `ALLOW_SSH_PROT_V1` this option from default? – Hossein Vatani Aug 08 '19 at 04:38
  • 1
    Possible duplicate of [rkhunter warning about ssh root access when that access is not allowed on the system](https://unix.stackexchange.com/questions/194087/rkhunter-warning-about-ssh-root-access-when-that-access-is-not-allowed-on-the-sy) – Bart Aug 08 '19 at 07:24
  • 1
    Thanks for the suggestion and formatting @Bart, but I don't believe that this is a duplicate. In my case, the config options in rkhunter and sshd_config are both set to "no" as shown. – r.j.bumble Aug 08 '19 at 14:00
  • @HosseinVatani I have edited the query to show the protocol settings. – r.j.bumble Aug 08 '19 at 14:26
  • Does the config parser care about trailing whitespace (after `no`)? Are both files Unix text files (not DOS text files)? – Kusalananda Aug 08 '19 at 14:56
  • I guessed this is a bug. I suggest reporting it to rkhunter or centos team. – Hossein Vatani Aug 08 '19 at 15:10
  • 1
    @Kusalananda you are right. Somehow the shh_config file has ended up with DOS ^M line endings, which `rkhunter` recognizes as a mis-match. I used `cat -A /etc/ssh/sshd_config` to see the problem. Thanks! – r.j.bumble Aug 09 '19 at 15:39
  • As you're new on this site, please don't edit your question to include `[Solved]` but instead don't forget to click the grey **☑** at the left of [the answer that is the most useful of all](/help/accepted-answer)! **;-)** – Fabby Aug 09 '19 at 21:45

1 Answers1

2

As it turned out, the sshd_config file was a DOS text file. As a consequence of this, the value assigned to the PermitRootLogin setting (as parsed by rkhunter) was not no but no\r (the carriage return from the DOS line ending would have been part of the value for the option).

This in turn meant that the values for PermitRootLogin and ALLOW_SSH_ROOT_USER compared as different, even though the two strings' representation in the terminal looked the same.

Kusalananda
  • 320,670
  • 36
  • 633
  • 936
  • While it remains unclear how the `sshd_config` file ended up with DOS line endings, I made the incorrect assumption that using 'vim` on my Centos 7 server would apply the correct line ending when I edited the`sshd_config` file. But, apparently vim is so "smart" that it preserved the erroneous line endings. Viewing the file with 'cat -A /etc/ssh/sshd_config` clearly showed the error. And using `:set fileformat` in `vim` would have also showed the problem in this case. – r.j.bumble Aug 09 '19 at 18:06