Ubuntu
rkhunter package

rhkunter interprets mixed-case directive incorrectly in configuration file(s)

Bug #1548432 reported by Ben Johnson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rkhunter (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Codename: trusty

# apt-cache policy rkhunter
rkhunter:
  Installed: 1.4.0-3
  Candidate: 1.4.0-3
  Version table:
 *** 1.4.0-3 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
        100 /var/lib/dpkg/status

rkhunter seems to be misinterpreting the case of the ALLOW_SSH_ROOT_USER directive in the effective configuration file. (I don't know whether the same problem applies to other directives.)

Given a stock rkhunter installation, I created the file /etc/rkhunter.conf.local and added to it the following line (among a few others, though I doubt the other lines are relevant):

ALLOW_SSH_ROOT_USER=PermitRootLogin

Yet, when I execute "rkhunter --check", I receive the following warning:

[12:21:34] Checking if SSH root access is allowed [ Warning ]
[12:21:34] Warning: The SSH and rkhunter configuration options should be the same:
[12:21:34] SSH configuration option 'PermitRootLogin': yes
[12:21:34] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': permitrootlogin

Clearly, rkhunter is casting the string in its own configuration file, "PermitRootLogin", to all-lowercase, yielding "permitrootlogin", thus triggering this erroneous warning.

Revision history for this message
Ben Johnson (a03-6eo-chg) wrote :

I forgot to mention the most annoying aspect of the bug, which is that there is no workaround.

If I change rkhunter's configuration file to use "permitrootlogin" (all lower-case), somewhat unsurprisingly, the problem still occurs.

[09:34:26] Info: Found SSH /etc/ssh/sshd_config configuration file:
[09:34:26] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'permitrootlogin'.
[09:34:26] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[09:34:26] Checking if SSH root access is allowed [ Warning ]
[09:34:26] Warning: The SSH and rkhunter configuration options should be the same:
[09:34:26] SSH configuration option 'PermitRootLogin': yes
[09:34:26] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': permitrootlogin

But, surely, if we change the directive in the SSH configuration file, and even restart the SSH daemon, the problem will be solved! Nope, wrong.

[09:39:11] Info: Found SSH /etc/ssh/sshd_config configuration file:
[09:39:11] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'permitrootlogin'.
[09:39:11] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[09:39:11] Checking if SSH root access is allowed [ Warning ]
[09:39:11] Warning: The SSH and rkhunter configuration options should be the same:
[09:39:11] SSH configuration option 'PermitRootLogin': yes # <--- This is wrong! The sshd_config file contains "permitrootlogin"!
[09:39:11] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': permitrootlogin

So, we're stuck with a warning on every run, with no means by which to suppress it effectively. This renders the tool useless.

Revision history for this message
François Marier (fmarier) wrote :

I filed the bug on the upstream bug tracker: https://sourceforge.net/p/rkhunter/bugs/149/

Revision history for this message
Ben Johnson (a03-6eo-chg) wrote :

Thank you, François, I really appreciate it!

John Horne with the rkhunter project replied, and his suggestion does indeed solve the problem for me, so we can go ahead and close this.

For some reason, I thought that rkhunter's ALLOW_SSH_ROOT_USER directive wanted "PermitRootLogin", instead of PermitRootLogin's *value* in /etc/ssh/sshd_config! This was operator error on my part.

Rather, rkhunter's ALLOW_SSH_ROOT_USER directive wants the same *value* that is assigned to PermitRootLogin in /etc/ssh/sshd_config.

Changing rkhunter's config to ALLOW_SSH_ROOT_USER=yes fixes the issue. My bad!

Nothing to see here, folks!

Changed in rkhunter (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.