[01:57] *** hulk joined [01:58] *** kylese left [02:15] *** hulk left [02:15] *** kylese joined [03:17] *** topnep left [03:18] *** topnep joined [03:55] *** lichtkind_ joined [03:58] *** lichtkind left [04:46] *** hurufu joined [04:54] *** silug7 joined [04:54] *** silug left [04:54] *** silug7 is now known as silug [05:00] *** Inline left [06:22] *** belluzj joined [06:38] *** Inline joined [08:15] *** Manifest0 joined [08:29] *** Guest73 joined [08:52] *** Guest73 left [09:12] *** belluzj left [09:35] *** topnep left [09:37] *** topnep joined [09:38] *** annamalai left [09:39] *** annamalai joined [09:43] *** belluzj joined [09:58] *** annamalai left [09:58] *** annamalai joined [10:04] *** annamalai left [10:05] *** annamalai joined [10:08] *** ShimmerFairy left [10:08] *** ShimmerFairy joined [10:12] *** Sgeo left [12:12] If someone wants to try out compliance check for sshd sever configuration - https://sparrowhub.io/plugin/scc/0.000005 [12:12] I’d be interested how it works on others configuration [12:13] There is also redis compliance check [12:14] This will require latest version of Sparrow from GitHub [12:56] *** belluzj left [13:10] > 15:10:00 :: [repository] - install plugin scc\n unknown plugin scc [13:11] using Sparrow6:ver<0.0.91>:auth [13:14] `s6 –index-update` creates ~/repo which is a bit weird, maybe .s6-repo would be better or something similar [13:19] *** hurufu left [13:21] in debug I get `[debug::repository index file does not exist] >>> /home/$USER/sparrow6/index` (with $USER being variable) so I'm betting it's necessary to somehow fetch the index, but https://github.com/melezhik/Sparrow6/blob/master/documentation/s6.md doesn't mention how [13:22] or what install command does and how to set default repository, if that's needed [13:38] I guess you need to export SP6_REPO=http://sparrowhub.io/repo [13:38] Then s6 —index-update [13:42] Remote repository is described here - https://github.com/melezhik/Sparrow6/blob/master/documentation/repository.md [13:42] Maybe I need to copy some info from here to s6 doc as well [13:44] By default if SP6_REPO is not set s6 creates EMPTY local repo in ~/repo which apparently does not contain any plugins [13:45] So users need to setup remote repo via SP6_REPO [13:46] I will probably need to make it more clear in the docs as well [13:53] Voldenet: if you want to play with scc plugin you need to install Sparrow from https://github.com/melezhik/Sparrow6.git or upgrade it from Raku.land when 0.0.92 shown up here [13:54] Pushed few minutes ago [14:05] As the plugin requires the latest Sparrow version [14:13] *** finanalyst joined [15:11] in 0.9.2 and with `SP6_REPO=http://sparrowhub.io/repo s6 –debug –index-update` things work like expected [15:12] useful thing about sshd plugin would be if it actually had the option to only display failed checks [15:14] also, there are things I'm not sure if thould match or not: >Match address 10.21.37.0/24\n PasswordAuthentication yes [15:14] (it's basically password auth for one specific wg network) [15:16] Also, `sshd -T` doesn't show `Protocol` line anymore, there's no way to use ssh 1 [15:17] no `LoginGraceTime` means 2 minutes, which is acceptable [15:19] Yeah sshd is still WIP any input is appreciated, so we can work on reasonable set of rules [15:19] and if you have AllowGroups, you don't really need AllowUsers, DenyGroups etc. [15:20] best practice is to have AllowGroups or AllowUsers [15:20] (whitelist) [15:20] As for output - https://github.com/melezhik/Sparrow6/issues/13 [15:20] in case of match, it's difficult to actually test configuration in specific context though [15:21] Because you need something like `sshd -T -C addr=10.21.37.53` to get config for specific context [15:21] idk if Match blocks can be processed in any sane way [15:22] Btw, all Match blocks which come at the end of the configuration file are ignored now [15:22] I'm using `OpenSSH_10.0p2 Debian-7+deb13u2, OpenSSL 3.5.5 27 Jan 2026` and it is not ignored [15:23] ah, you mean by the check [15:23] that makes sense [15:23] How do you know? Can you please gist the report ? [15:23] Yeah [15:23] Check itself [15:24] `sshd -T | grep passwordauth` outputs: `passwordauthentication no` but `sshd -T -C addr=10.21.37.53 | grep passwordauth` outputs `passwordauthentication yes` [15:25] I'm actively using it - if I don't have wg connection, I have to set up sshd key, if I do have wg connection, I can use the password [15:26] *** annamalai left [15:27] and my config is slightly above: `Match address 10.21.37.0/24\n PasswordAuthentication yes` - it's as short as it gets [15:27] Yeah [15:28] it'd be quite difficult to validate it in any sane way, the tool would have to get wg config and know somehow that this network is wg network… [15:28] it's doable, but not trivial [15:29] Hrm so Match address goes at the beginning of sshd config ? [15:29] *** finanalyst left [15:29] Nope, at the end [15:29] Ok , it should ) [15:31] Ok allow groups at allow users - just asked DeepSeek - https://chat.deepseek.com/share/s78vvpistpxm4ixoze , will test it and include into the next version [15:32] Btw you can check yourself by coping the diff and applying it … [15:33] The file should be at the ~/sparrow6/plugins/scc/checks/sshd.check [15:49] the patch doesn't cleanly apply, but I get `assert: 1 at least one of AllowUsers or AllowGroups is set` (it's only printed) [15:53] Ok. [15:53] I wonder if DenyUsers or DenyGroups is any useful for hardening [15:53] you then may end up with some user not being denied [15:54] I prefer strongly my solution of having the group of users that can login via ssh [15:57] because editing sshd_config for every user is ridiculous and blacklisting instead of whitelisting is not secure at all [15:59] *** sibl joined [16:02] Yeah I am going to exclude them from mandatory checks [16:02] also, kexalgorithms don't include diffie-hellman [16:02] >kexalgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 [16:03] *** sibl left [16:03] these I use right now [16:04] nist curves are probably not the best, but I remember having compatibility issues in some ssh library [16:07] so overall improvements, (1) `AllowGroups` should be required, `AllowUsers` accepted, `Deny*` ignored, (2) `Protocol` is not supported and printed by sshd -T (3) `KexAlgorithms` should be cleaned up to accept "modern" list [16:10] maybe (4) Port 22 is not really that secure, setting it to something else reduces number of login attempts [16:10] though overall though it's a good tool already [16:11] Actually deny grouse users are already optional [16:11] *** annamalai joined [16:12] Please pick up the version addressing the last issue from here - https://chat.deepseek.com/share/k1x3yk0e2dki7yanvz [16:22] Which items do you think we need check are in kexalgirithms list ? [16:24] *** belluzj joined [16:25] Oh. Deny Users/Groups are not optinal need to fix it … [16:29] DenyUsers/DenyGroups are optional - fixed in this version - https://chat.deepseek.com/share/i6cxyup7twezttngf2 [16:31] What I really like about sparrow task check dsl that is set certain structure to generated by LLM code , so it’s quite easy to review changes made by it [16:33] It’s kind safeguard from LLM hallucinations , as they are much easier to spot and LLM is always is in constraint by framework itself [16:34] Also anyone could branch off a new version on LLM conversion and propose a patch by just saying a few words [17:08] that last version is almost ok, but [17:08] `logingracetime 60` this is fine, it's seconds by default [17:11] ` False` (yes, it's v2 by default and you can't change it anymore) ` False` (wrong regex, no unit is fine) [17:12] and the kex is not something I know how to check, but my recommendation would be to have a list of known good algorithms and known bad algorithms [17:12] than, print out all unknown algorithms – new ones could get introduced [17:13] ask LLM to generate both lists, I can't name every algorithm there is [17:26] Please try this version - https://chat.deepseek.com/share/5ch11ik23489q3rv5s , it address the things you have just mentioned [17:31] *** _huggable joined [17:32] *** sibl joined [17:36] *** sibl left [17:48] hi! is pod allowed before unit declaration line? [17:51] guess so [17:53] @melezhik. definite ++ on your DSL+LLM thoughts [18:00] *** _huggable left [18:03] *** _huggable joined [18:06] melezhik.: The only failure I get now is ` False` but other things seem to work [18:07] Great 👍 thanks for trying it out, will figure out protocol in a bit [18:07] @librasteve thanks 🙏 [18:07] glad to help [18:09] *** _huggable left [18:10] I have more checks coming - bind/dns, redis, Gitlab runner , forgejo, sudoers, sysctl, PostgreSQL , Mariann, systemd unit , log rotate, mongodb, [18:10] Let me know if any of these you are interested in trying out [18:11] out of those I can test bind, sysctl and sudoers - other things I have been only running but never configured anything [18:13] Cool. Will let you know [18:22] *** belluzj left [18:42] *** Sgeo joined [20:08] *** apogee_ntv left [20:18] *** apogee_ntv joined [22:06] *** ShimmerFairy left [22:07] *** ShimmerFairy joined [23:44] *** Manifest0 left [23:56] *** tejr left