mirror of
https://github.com/ovh/the-bastion.git
synced 2024-09-20 23:15:58 +08:00
chore: remove Debian openssh-blacklist logic
All Debian versions supporting this are EOL by now.
This commit is contained in:
parent
6f13149093
commit
52d44ba993
|
@ -365,26 +365,6 @@ sub get_ssh_pub_key_info {
|
||||||
$return{'size'} = $size + 0;
|
$return{'size'} = $size + 0;
|
||||||
$return{'fingerprint'} = $fingerprint;
|
$return{'fingerprint'} = $fingerprint;
|
||||||
$return{'family'} = $family;
|
$return{'family'} = $family;
|
||||||
my @blacklistfiles = qw{ DSA-1024 DSA-2048 RSA-1024 RSA-2048 RSA-4096 };
|
|
||||||
if (grep { "$family-$size" eq $_ } @blacklistfiles) {
|
|
||||||
|
|
||||||
# check for vulnkeys
|
|
||||||
my $blfile = '/usr/share/ssh/blacklist.' . $family . '-' . $size;
|
|
||||||
if (-r $blfile && open(my $fh_blacklist, '<', $blfile)) {
|
|
||||||
my $shortfp = $fingerprint;
|
|
||||||
$shortfp =~ s/://g;
|
|
||||||
$shortfp =~ s/^.{12}//;
|
|
||||||
|
|
||||||
#print "looking for shortfingerprint=$shortfp...\n";
|
|
||||||
local $_ = undef;
|
|
||||||
while (<$fh_blacklist>) {
|
|
||||||
/^\Q$shortfp\E$/ or next;
|
|
||||||
close($fh_blacklist);
|
|
||||||
return R('KO_VULNERABLE_KEY', value => \%return);
|
|
||||||
}
|
|
||||||
close($fh_blacklist);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# check allowed algos and key size
|
# check allowed algos and key size
|
||||||
my $allowedSshAlgorithms = OVH::Bastion::config("allowed${way}SshAlgorithms");
|
my $allowedSshAlgorithms = OVH::Bastion::config("allowed${way}SshAlgorithms");
|
||||||
|
|
|
@ -15,7 +15,7 @@ opt_skip_consistency_check=0
|
||||||
opt_no_pause_on_fail=0
|
opt_no_pause_on_fail=0
|
||||||
opt_log_prefix=
|
opt_log_prefix=
|
||||||
opt_module=
|
opt_module=
|
||||||
declare -A capabilities=( [ed25519]=1 [blacklist]=0 [mfa]=1 [mfa-password]=0 [pamtester]=1 [piv]=1 )
|
declare -A capabilities=( [ed25519]=1 [mfa]=1 [mfa-password]=0 [pamtester]=1 [piv]=1 )
|
||||||
|
|
||||||
# set the helptext now to get the proper default values
|
# set the helptext now to get the proper default values
|
||||||
help_text=$(cat <<EOF
|
help_text=$(cat <<EOF
|
||||||
|
@ -31,7 +31,6 @@ Remote OS directory locations:
|
||||||
|
|
||||||
Specifying features support of the underlying OS of the tested bastion:
|
Specifying features support of the underlying OS of the tested bastion:
|
||||||
--has-ed25519=[0|1] Ed25519 keys are supported (default: ${capabilities[ed25519]})
|
--has-ed25519=[0|1] Ed25519 keys are supported (default: ${capabilities[ed25519]})
|
||||||
--has-blacklist=[0|1] Detection of bad SSH keys generated during the Debian OpenSSL debacle of 2006 is supported (default: ${capabilities[blacklist]})
|
|
||||||
--has-mfa=[0|1] PAM is usable to check passwords and TOTP (default: ${capabilities[mfa]})
|
--has-mfa=[0|1] PAM is usable to check passwords and TOTP (default: ${capabilities[mfa]})
|
||||||
--has-mfa-password=[0|1] PAM is usable to check passwords (default: ${capabilities[mfa-password]})
|
--has-mfa-password=[0|1] PAM is usable to check passwords (default: ${capabilities[mfa-password]})
|
||||||
--has-pamtester=[0|1] The \`pamtester\` binary is available, and PAM is usable (default: ${capabilities[pamtester]})
|
--has-pamtester=[0|1] The \`pamtester\` binary is available, and PAM is usable (default: ${capabilities[pamtester]})
|
||||||
|
|
|
@ -503,18 +503,6 @@ EOS
|
||||||
.value.key.prefix ""
|
.value.key.prefix ""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "${capabilities[blacklist]}" = 1 ] ; then
|
|
||||||
script rsa1024fucked $a1 -osh selfAddIngressKey "<<< \"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA90Td1GTx+tYMbsti93lyiyKYelBgaXRrnweoYJXjUFNU93jZ+RmBR8yp5J6mx7jz9ECaMS7Dn49fNQi5uG75+m+DTUgq3bfNv8cygoVC4g3NhzA3e+uA22D+iI53j3Gm9YxaJVOypGXGkOoWnmXZy7FQ4aSBFvgqa81xfnoa+4M= compromised@rsa1024\""
|
|
||||||
retvalshouldbe 100
|
|
||||||
contain "IT IS VULNERABLE"
|
|
||||||
json .command selfAddIngressKey .error_code KO_VULNERABLE_KEY
|
|
||||||
|
|
||||||
script rsa2048fucked $a1 -osh selfAddIngressKey "<<< \"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxP84hsnxNGSGczfSZTYwb7YCu7yFEyYq5r5qS0dKc6EVQkqdYCn5FrFj8d0+Qn9vglQyCMk+Aa9VLlmKV8/e43FqIq7oh4RDe3YhKKvQ28gLGB/nh2oBLDCB/AYMOjjkCsGU344mrcKQDZlPQsk7lJsied1YphOzHFD7MZVdWd0oUpKFdZSuGbpLRWR+bq29fx7JSiT2tw3G3+EQSW9bdqvzKgwQOAg94FFUTjiK/nVDXAowKMP3+R3cV/CxccA9q5glGw6Xh+K54oZRQ9frzEGmxOlDhMhthQCSRrAvwQQn9kBmcX8qiugHJGS91R5lWv+HU2ndyCQ6xTxRtYvMOw== compromised@rsa2048\""
|
|
||||||
retvalshouldbe 100
|
|
||||||
contain "IT IS VULNERABLE"
|
|
||||||
json .command selfAddIngressKey .error_code KO_VULNERABLE_KEY
|
|
||||||
fi
|
|
||||||
|
|
||||||
run user1key2beforeadd $a1k2 -osh info
|
run user1key2beforeadd $a1k2 -osh info
|
||||||
retvalshouldbe 255
|
retvalshouldbe 255
|
||||||
contain "Permission denied"
|
contain "Permission denied"
|
||||||
|
|
Loading…
Reference in a new issue