01:57 hulk joined 01:58 kylese left 02:15 hulk left, kylese joined 03:17 topnep left 03:18 topnep joined 03:55 lichtkind_ joined 03:58 lichtkind left 04:46 hurufu joined 04:54 silug7 joined, silug left, silug7 is now known as silug 05:00 Inline left 06:22 belluzj joined 06:38 Inline joined 08:15 Manifest0 joined 08:29 Guest73 joined 08:52 Guest73 left 09:12 belluzj left 09:35 topnep left 09:37 topnep joined 09:38 annamalai left 09:39 annamalai joined 09:43 belluzj joined 09:58 annamalai left, annamalai joined 10:04 annamalai left 10:05 annamalai joined 10:08 ShimmerFairy left, ShimmerFairy joined 10:12 Sgeo left
disbot4 <melezhik.> If someone wants to try out compliance check for sshd sever configuration - sparrowhub.io/plugin/scc/0.000005 12:12
<melezhik.> I’d be interested how it works on others configuration
<melezhik.> There is also redis compliance check 12:13
<melezhik.> This will require latest version of Sparrow from GitHub 12:14
12:56 belluzj left
Voldenet > 15:10:00 :: [repository] - install plugin scc\n unknown plugin scc 13:10
using Sparrow6:ver<0.0.91>:auth<zef:sp1983> 13:11
`s6 –index-update` creates ~/repo which is a bit weird, maybe .s6-repo would be better or something similar 13:14
13:19 hurufu left
Voldenet in debug I get `[debug::repository index file does not exist] >>> /home/$USER/sparrow6/index` (with $USER being variable) so I'm betting it's necessary to somehow fetch the index, but github.com/melezhik/Sparrow6/blob/...tion/s6.md doesn't mention how 13:21
or what install command does and how to set default repository, if that's needed 13:22
disbot4 <melezhik.> I guess you need to export SP6_REPO=sparrowhub.io/repo 13:38
<melezhik.> Then s6 —index-update
<melezhik.> Remote repository is described here - github.com/melezhik/Sparrow6/blob/...ository.md 13:42
<melezhik.> Maybe I need to copy some info from here to s6 doc as well
<melezhik.> By default if SP6_REPO is not set s6 creates EMPTY local repo in ~/repo which apparently does not contain any plugins 13:44
<melezhik.> So users need to setup remote repo via SP6_REPO 13:45
<melezhik.> I will probably need to make it more clear in the docs as well 13:46
<melezhik.> Voldenet: if you want to play with scc plugin you need to install Sparrow from github.com/melezhik/Sparrow6.git or upgrade it from Raku.land when 0.0.92 shown up here 13:53
<melezhik.> Pushed few minutes ago 13:54
<melezhik.> As the plugin requires the latest Sparrow version 14:05
14:13 finanalyst joined
Voldenet in 0.9.2 and with `SP6_REPO=sparrowhub.io/repo s6 –debug –index-update` things work like expected 15:11
useful thing about sshd plugin would be if it actually had the option to only display failed checks 15:12
also, there are things I'm not sure if thould match or not: >Match address 10.21.37.0/24\n PasswordAuthentication yes 15:14
(it's basically password auth for one specific wg network)
Also, `sshd -T` doesn't show `Protocol` line anymore, there's no way to use ssh 1 15:16
no `LoginGraceTime` means 2 minutes, which is acceptable 15:17
disbot4 <melezhik.> Yeah sshd is still WIP any input is appreciated, so we can work on reasonable set of rules 15:19
Voldenet and if you have AllowGroups, you don't really need AllowUsers, DenyGroups etc.
best practice is to have AllowGroups or AllowUsers 15:20
(whitelist)
disbot4 <melezhik.> As for output - github.com/melezhik/Sparrow6/issues/13
Voldenet in case of match, it's difficult to actually test configuration in specific context though
Because you need something like `sshd -T -C addr=10.21.37.53` to get config for specific context 15:21
idk if Match blocks can be processed in any sane way
disbot4 <melezhik.> Btw, all Match blocks which come at the end of the configuration file are ignored now 15:22
Voldenet I'm using `OpenSSH_10.0p2 Debian-7+deb13u2, OpenSSL 3.5.5 27 Jan 2026` and it is not ignored
ah, you mean by the check 15:23
that makes sense
disbot4 <melezhik.> How do you know? Can you please gist the report ?
<melezhik.> Yeah
<melezhik.> Check itself
Voldenet `sshd -T | grep passwordauth` outputs: `passwordauthentication no` but `sshd -T -C addr=10.21.37.53 | grep passwordauth` outputs `passwordauthentication yes` 15:24
I'm actively using it - if I don't have wg connection, I have to set up sshd key, if I do have wg connection, I can use the password 15:25
15:26 annamalai left
Voldenet and my config is slightly above: `Match address 10.21.37.0/24\n PasswordAuthentication yes` - it's as short as it gets 15:27
disbot4 <melezhik.> Yeah
Voldenet it'd be quite difficult to validate it in any sane way, the tool would have to get wg config and know somehow that this network is wg network… 15:28
it's doable, but not trivial
disbot4 <melezhik.> Hrm so Match address goes at the beginning of sshd config ? 15:29
15:29 finanalyst left
Voldenet Nope, at the end 15:29
disbot4 <melezhik.> Ok , it should )
<melezhik.> Ok allow groups at allow users - just asked DeepSeek - chat.deepseek.com/share/s78vvpistpxm4ixoze , will test it and include into the next version 15:31
<melezhik.> Btw you can check yourself by coping the diff and applying it … 15:32
<melezhik.> The file should be at the ~/sparrow6/plugins/scc/checks/sshd.check 15:33
Voldenet the patch doesn't cleanly apply, but I get `assert: 1 at least one of AllowUsers or AllowGroups is set` (it's only printed) 15:49
disbot4 <melezhik.> Ok. 15:53
Voldenet I wonder if DenyUsers or DenyGroups is any useful for hardening
you then may end up with some user not being denied
I prefer strongly my solution of having the group of users that can login via ssh 15:54
because editing sshd_config for every user is ridiculous and blacklisting instead of whitelisting is not secure at all 15:57
15:59 sibl joined
disbot4 <melezhik.> Yeah I am going to exclude them from mandatory checks 16:02
Voldenet also, kexalgorithms don't include diffie-hellman
>kexalgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
16:03 sibl left
Voldenet these I use right now 16:03
nist curves are probably not the best, but I remember having compatibility issues in some ssh library 16:04
so overall improvements, (1) `AllowGroups` should be required, `AllowUsers` accepted, `Deny*` ignored, (2) `Protocol` is not supported and printed by sshd -T (3) `KexAlgorithms` should be cleaned up to accept "modern" list 16:07
maybe (4) Port 22 is not really that secure, setting it to something else reduces number of login attempts 16:10
though overall though it's a good tool already
disbot4 <melezhik.> Actually deny grouse users are already optional 16:11
16:11 annamalai joined
disbot4 <melezhik.> Please pick up the version addressing the last issue from here - chat.deepseek.com/share/k1x3yk0e2dki7yanvz 16:12
<melezhik.> Which items do you think we need check are in kexalgirithms list ? 16:22
16:24 belluzj joined
disbot4 <melezhik.> Oh. Deny Users/Groups are not optinal need to fix it … 16:25
<melezhik.> DenyUsers/DenyGroups are optional - fixed in this version - chat.deepseek.com/share/i6cxyup7twezttngf2 16:29
<melezhik.> What I really like about sparrow task check dsl that is set certain structure to generated by LLM code , so it’s quite easy to review changes made by it 16:31
<melezhik.> It’s kind safeguard from LLM hallucinations , as they are much easier to spot and LLM is always is in constraint by framework itself 16:33
<melezhik.> Also anyone could branch off a new version on LLM conversion and propose a patch by just saying a few words 16:34
Voldenet that last version is almost ok, but 17:08
`logingracetime 60` this is fine, it's seconds by default
`<Protocol not found> False` (yes, it's v2 by default and you can't change it anymore) `<LoginGraceTime not found> False` (wrong regex, no unit is fine) 17:11
and the kex is not something I know how to check, but my recommendation would be to have a list of known good algorithms and known bad algorithms 17:12
than, print out all unknown algorithms – new ones could get introduced
ask LLM to generate both lists, I can't name every algorithm there is 17:13
disbot4 <melezhik.> Please try this version - chat.deepseek.com/share/5ch11ik23489q3rv5s , it address the things you have just mentioned 17:26
17:31 _huggable joined 17:32 sibl joined 17:36 sibl left
disbot4 <librasteve> hi! is pod allowed before unit declaration line? 17:48
<librasteve> guess so 17:51
<librasteve> @melezhik. definite ++ on your DSL+LLM thoughts 17:53
18:00 _huggable left 18:03 _huggable joined
Voldenet melezhik.: The only failure I get now is `<Protocol not found> False` but other things seem to work 18:06
disbot4 <melezhik.> Great 👍 thanks for trying it out, will figure out protocol in a bit 18:07
<melezhik.> @librasteve thanks 🙏
Voldenet glad to help
18:09 _huggable left
disbot4 <melezhik.> I have more checks coming - bind/dns, redis, Gitlab runner , forgejo, sudoers, sysctl, PostgreSQL , Mariann, systemd unit , log rotate, mongodb, 18:10
<melezhik.> Let me know if any of these you are interested in trying out
Voldenet out of those I can test bind, sysctl and sudoers - other things I have been only running but never configured anything 18:11
disbot4 <melezhik.> Cool. Will let you know 18:13
18:22 belluzj left 18:42 Sgeo joined 20:08 apogee_ntv left 20:18 apogee_ntv joined 22:06 ShimmerFairy left 22:07 ShimmerFairy joined 23:44 Manifest0 left 23:56 tejr left

Powered by Cro and the Raku® Programming Language.

Please report any issues / comments / feature requests as an issue on App::Raku::Log.

Thank you!