usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

os_sshd_fips_compliant remediation does not gracefully handle previous similar configuration settings #67

New Issue
Open
opened 2026-01-19 18:29:07 +00:00 by michael · 4 comments
michael commented 2026-01-19 18:29:07 +00:00
Owner
Copy Link

Originally created by @bernstei on GitHub.

The remediation for os_sshd_fips_compliant at 30d4a1af04/rules/os/os_sshd_fips_compliant.yaml (L40) does not attempt to remove previous lines that refer to the same config fields. As a result, if they have been set before (e.g. by an earlier version of macos_security remediation), the resulting 01-mscp-sshd.conf does not pass the compliance check for the rule.

Originally created by @bernstei on GitHub. The remediation for `os_sshd_fips_compliant` at https://github.com/usnistgov/macos_security/blob/30d4a1af0443332772cd8617d01d7dd3463f8072/rules/os/os_sshd_fips_compliant.yaml#L40 does not attempt to remove previous lines that refer to the same config fields. As a result, if they have been set before (e.g. by an earlier version of macos_security remediation), the resulting `01-mscp-sshd.conf` does not pass the compliance check for the rule.
michael commented 2026-01-19 18:29:07 +00:00
Author
Owner
Copy Link

@bernstei commented on GitHub:

Wait, maybe I'm seeing what's happening - I didn't notice that they also appear in /etc/ssh/crypto/fips.conf. Is that how they're being set for sshd?

@bernstei commented on GitHub: Wait, maybe I'm seeing what's happening - I didn't notice that they also appear in `/etc/ssh/crypto/fips.conf`. Is that how they're being set for `sshd`?
michael commented 2026-01-19 18:29:07 +00:00
Author
Owner
Copy Link

@ChrisButigieg commented on GitHub:

I had the same issue resulted in Integer 3 instead of 7. Ran a -cfc and still failed for the same exact integer as before. Received an odd Token message, so I even tried running the reset command listed in the yaml file: /usr/libexec/reset-ssh-configuration. Same results. Ended up rebuilding my macOS 15.2 device and it sailed through -cfc.

@ChrisButigieg commented on GitHub: I had the same issue resulted in Integer 3 instead of 7. Ran a -cfc and still failed for the same exact integer as before. Received an odd Token message, so I even tried running the reset command listed in the yaml file: /usr/libexec/reset-ssh-configuration. Same results. Ended up rebuilding my macOS 15.2 device and it sailed through -cfc.
michael commented 2026-01-19 18:29:07 +00:00
Author
Owner
Copy Link

@bernstei commented on GitHub:

So, it's a little weird. It does work in the sense that after I run it, the compliance remediation + check passes with no failures. However, there's one very weird thing that I noticed.

The particular rule that was giving me problems was os_sshd_fips_compliant (sshd, i.e. the server), which checks the output of sshd -G for the required config strings, and if needed remediates by writing into /etc/ssh/sshd_config.d/01-mscp-sshd.conf. However, after the reset and remediation (fixing 12 rules that failed), the strings that remediate this rule (Ciphers, MACs, etc) are not in /etc/ssh/sshd_config.d/01-mscp-sshd.conf. The only place I see them is in /etc/ssh/ssh_config.d/01-mscp-ssh.conf. It looks to me like they are written there by another related rule, os_ssh_fips_compliant. I assumed this file would only apply to the client, not sshd.

Is it expected that sshd -G returns configuration items that are set in files from a directory that is not referenced in /etc/ssh/sshd_config, but only in /etc/ssh/ssh_config?

@bernstei commented on GitHub: So, it's a little weird. It does work in the sense that after I run it, the compliance remediation + check passes with no failures. However, there's one very weird thing that I noticed. The particular rule that was giving me problems was `os_sshd_fips_compliant` (`sshd`, i.e. the server), which checks the output of `sshd -G` for the required config strings, and if needed remediates by writing into `/etc/ssh/sshd_config.d/01-mscp-sshd.conf`. However, after the reset and remediation (fixing 12 rules that failed), the strings that remediate this rule (`Ciphers`, `MACs`, etc) are _not_ in `/etc/ssh/sshd_config.d/01-mscp-sshd.conf`. The only place I see them is in `/etc/ssh/ssh_config.d/01-mscp-ssh.conf`. It looks to me like they are written there by another related rule, `os_ssh_fips_compliant`. I assumed this file would only apply to the _client_, not `sshd`. Is it expected that `sshd -G` returns configuration items that are set in files from a directory that is not referenced in `/etc/ssh/sshd_config`, but only in `/etc/ssh/ssh_config`?
michael commented 2026-01-19 18:29:07 +00:00
Author
Owner
Copy Link

@golbiga commented on GitHub:

In macOS 15.2 there is a reset option for sshd configurations. See the note in the yaml.

NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration

@bernstei can you give this a try and let us know if that resolves your issue.

@golbiga commented on GitHub: In macOS 15.2 there is a reset option for sshd configurations. See the note in the yaml. ``` NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration ``` @bernstei can you give this a try and let us know if that resolves your issue.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#67
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?