-
Notifications
You must be signed in to change notification settings - Fork 1
/
Test_for_exposed_SSH_keys_xml.xml
97 lines (77 loc) · 3.58 KB
/
Test_for_exposed_SSH_keys_xml.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
<joblist>
<job>
<defaultTab>nodes</defaultTab>
<description>Tests whether a host includes any of the exposed SSH keys in the `authorized_keys*` files. </description>
<dispatch>
<excludePrecedence>true</excludePrecedence>
<keepgoing>true</keepgoing>
<rankOrder>ascending</rankOrder>
<successOnEmptyNodeFilter>false</successOnEmptyNodeFilter>
<threadcount>1</threadcount>
</dispatch>
<executionEnabled>true</executionEnabled>
<id>db8d2891-bc59-4389-a8f5-b01e9a10e3b3</id>
<loglevel>INFO</loglevel>
<name>Test for exposed SSH keys</name>
<nodeFilterEditable>false</nodeFilterEditable>
<nodefilters>
<filter>.*</filter>
</nodefilters>
<nodesSelectedByDefault>true</nodesSelectedByDefault>
<plugins />
<scheduleEnabled>true</scheduleEnabled>
<sequence keepgoing='false' strategy='node-first'>
<command>
<description>Test authorized_keys files for bad keys</description>
<script><![CDATA[#!/bin/bash
# Sorry I assume you have bash, because otherwise this is a lot harder.
# set -eux
set -eu
# 2048 SHA256:h7njOUArdygRFZN8R8JRysZ5Vje57TDoszOFqW+mEtY rundeck@435cc7c0ec97 (RSA)
# 2048 SHA256:HyLeewdJH/1WAAQKixUs613XsRXbFQd6nxU6ikdmcn0 rundeck@a9408cab34cf (RSA)
# 2048 SHA256:fm4RAHs48DTFFwBTgL95wdGMeZcp7fIF5WjN015/3CA rundeck@d39a9897de35 (RSA)
# 2048 SHA256:kVLnHhPWC2vgTvOcPx+DhRL0mkhpIJloKmKQuLAOBfA rundeck@553322682a1d (RSA)
# 2048 SHA256:9NEpWJV6CD3gVnxu+SGx8kt+YO/jLi1ri6EtdRDQnMU rundeck@7ff0495cadf8 (RSA)
# 2048 SHA256:mQT8HYdan/qSNallrKhBOC6B2SJZ8NESAPR7t27rBkA rundeck@0a88c2cee02f (RSA)
# 2048 SHA256:tt14aHFVv7BKc4FABzPBrKEDYeTh9IftfrBolZ1PtrI rundeck@6ce6a554d02b (RSA)
# 3072 SHA256:096YEqlFSQn9ppaVGg5sfpt6R2Nn+eJi5k1Pb3QiIF4 rundeck@buildkitsandbox (RSA)
declare -a bad_keys
bad_keys=(SHA256:h7njOUArdygRFZN8R8JRysZ5Vje57TDoszOFqW+mEtY SHA256:HyLeewdJH/1WAAQKixUs613XsRXbFQd6nxU6ikdmcn0 SHA256:fm4RAHs48DTFFwBTgL95wdGMeZcp7fIF5WjN015/3CA SHA256:kVLnHhPWC2vgTvOcPx+DhRL0mkhpIJloKmKQuLAOBfA SHA256:9NEpWJV6CD3gVnxu+SGx8kt+YO/jLi1ri6EtdRDQnMU SHA256:mQT8HYdan/qSNallrKhBOC6B2SJZ8NESAPR7t27rBkA SHA256:tt14aHFVv7BKc4FABzPBrKEDYeTh9IftfrBolZ1PtrI SHA256:096YEqlFSQn9ppaVGg5sfpt6R2Nn+eJi5k1Pb3QiIF4)
OLDIFS="$IFS"
IFS="
"
root="/"
found=()
# If we can renice ourselves, great, no worries if not.
renice 10 $$ || true
for authorized_key_file in $(find "$root" -iname 'authorized_keys*' -ipath '*/.ssh/*' -type f -not -empty 2>/dev/null); do
echo "Looking at keyfile: $authorized_key_file"
echo
# list all the keys in the file, and process them a line at a time
# ssh-keygen -l -f "$authorized_key_file" \
for authorized_key_line in $(grep --extended-regexp '^ssh-' "$authorized_key_file"); do
authorized_key="$(ssh-keygen -l -f <(echo "$authorized_key_line"))"
# compare each authorized_key's allowed key against all the bad
# ones
for badkey in "${bad_keys[@]}"; do
if echo "$authorized_key" | grep --fixed-strings --quiet "$badkey"; then
echo "$authorized_key_file contains a bad key of:"
echo " $authorized_key_line"
echo
found+=("$authorized_key_file")
fi
done
done
done
IFS="$OLDIFS"
echo "Result: Found ${#found[@]} files with bad keys"
if [ ${#found[@]} -gt 0 ] ; then
echo "Files: ${found[@]}"
fi
exit ${#found[@]}]]></script>
<scriptargs />
</command>
</sequence>
<uuid>db8d2891-bc59-4389-a8f5-b01e9a10e3b3</uuid>
</job>
</joblist>