This file is indexed.

/usr/lib/tiger/scripts/check_ssh is in tiger 1:3.2.3-12.1.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
#!/bin/sh
#
#     tiger - A UN*X security checking system
#     Copyright (C) 2003 Ryan Bradetich
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2, or (at your option)
#    any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#     Please see the file `COPYING' for the complete copyright notice.
#
# check_ssh - Checks for configuration directives in the SSH configuration
#             file.
#
# 01/07/2004 - rbrad - Applied Savannah Patch: 2439 to make POSIX compliant.
# 11/19/2003 - jfs - This script is not POSIX compliant (yet)
# 09/19/2003 - jfs - Applied patch from Ryan Braderitch fixing typoes (sp?)
# 09/03/2003 - jfs - Removed PermitRootLogin since that's checked by check_root
#             (and belongs there, IMHO) also added failsafe checks for 
#             SSHD_CONFIG which might not be configured in some systems
# 06/30/2003 - rbradetich@uswest.net - first release
#
# TODO:
#   - Add additional directives that can be checked.
#   - Figure out a clever method for integrating the default checks with the
#     normal checks.
#   - Currently suited for OpenSSH needs to be tested with other SSH daemons
#-----------------------------------------------------------------------------
#
TigerInstallDir="/usr/lib/tiger"

#
# Set default base directory.
# Order or preference:
#      -B option
#      TIGERHOMEDIR environment variable
#      TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}

for parm
do
   case $parm in
   -B) basedir=$2; break;;
   esac
done

#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
  echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
  exit 1
}

. $basedir/config

. $BASEDIR/initdefs

#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
  haveallfiles BASEDIR || exit 1
  
  echo "--CONFIG-- [init003c] $0: Configuration ok..."
  exit 0
}

#------------------------------------------------------------------------

echo
echo "# Checking sshd_config configuration files..."

haveallfiles BASEDIR || exit 1

#
# Parse the Protocol line and verify only allowed protocols are specified.
# Return 0 if the protocol is not in the approved protocol list, otherwise
# return 1.
#
parse_Protocol()
{
	line=$1

	[ -z "$Tiger_SSH_Protocol" ] && return 1
	while [ -n "$line" ]
	do
		proto=${line%%,*}
		line=${line##${proto}}
		line=${line##,}

		eval "case \"$proto\" in
			$Tiger_SSH_Protocol)
				;;
			*)
				return 0
				;;
		esac"
	done
	return 1
}

#
# Generic parsing routine for SSH Daemon directivies. 
# Return 0 if the value is not in the approved list, otherwise
# return 1.
#
parse_directive()
{
	value=$1
	list=$2

	[ -z "$list" ] && return 1
	eval "case \"$value\" in
		$list)
			return 1
			;;
		*)
			return 0
			;;
	esac"
}

#
# Parse the specified sshd_config file.
#
parse_sshd_config_file()
{
	# Declare some variables to see if specified attributes are specified
	# or if we need to check the defaults.
	found_Protocol=0
	found_RhostsAuthentication=0
	found_PasswordAuthentication=0

	while read line
	do
		line=${line%%\#*}
		key=${line%% *}
		line=${line##${key}}

		case "$key" in
			Protocol)
				found_Protocol=1
				parse_Protocol $line $1 && {
					message WARN ssh001w "" "Protocol $proto is enabled in $file"
				}	
				;;
				
			RhostsAuthentication)
				found_RhostsAuthentication=1
				parse_directive $line $Tiger_SSH_RhostsAuthentication && {
					message WARN ssh003w "" "The RhostsAuthentication directive in $1 is set to the unapproved value: $line."
				}
				;;

			PasswordAuthentication)
				found_PasswordAuthentication=1
				parse_directive $line $Tiger_SSH_PasswordAuthentication && {
					message WARN ssh004w "" "The PasswordAuthentication directive in $1 is set to the unapproved value: $line."
				}
				;;
		esac
	done < $1

	# Check the default values if the entry was not specified.
	[ $found_Protocol = 0 ] && parse_Protocol "2,1" && {
		message WARN ssh001w "" "Protocol $proto is enabled in $file"
	}
	[ $found_RhostsAuthentication = 0 ] && parse_directive "no" $Tiger_SSH_RhostsAuthentication && {
		message WARN ssh003w "" "The RhostsAuthentication directive in $1 is set to the unapproved default value: no."
	}
	[ $found_PasswordAuthentication = 0 ] && parse_directive "yes" $Tiger_SSH_PasswordAuthentication && {
		message WARN ssh004w "" "The PasswordAuthentication directive in $1 is set to the unapproved defult value: yes."
	}
}

# If SSHD_CONFIG is not defined we use some sane values
[ -z "$SSHD_CONFIG" ] && {
if [ -f /usr/local/etc/sshd_config ]; then
  SSHD_CONFIG=/usr/local/etc/sshd_config
elif [ -f /etc/sshd_config ]; then
  SSHD_CONFIG=/etc/sshd_config
elif [ -f /etc/ssh2/sshd2_config ]; then
  SSHD_CONFIG=/etc/ssh2/sshd2_config
elif [ -f /etc/ssh/sshd_config ]; then
  SSHD_CONFIG=/etc/ssh/sshd_config
fi
}

# Main loop, check all the specified sshd_config files.
if [ -n "$SSHD_CONFIG" ] 
then
	for file in $SSHD_CONFIG
	do
		[ -r "$file" ] && parse_sshd_config_file $file
	done
else
	message FAIL ssh005w "" "Cannot find a configuration file for SSH."
fi

exit 0