incorrect detection with multiple identical keys #218
Description
Description
Hi, i've noticed that the sshd detection is faulty (even if configuration is correct):
this is most likely due to having 2 identical keys in sshd config (global and match block):
PasswordAuthentication no
and
# SFTP matching configuration
# ===========================
# Configuration, in case SFTP is used
# override default of no subsystems
# Subsystem sftp /opt/app/openssh5/libexec/sftp-server
Subsystem sftp internal-sftp -l INFO -f LOCAL6 -u 0027
# These lines must appear at the *end* of sshd_config
Match Group sftponly
ForceCommand internal-sftp -l INFO -f LOCAL6 -u 0027
ChrootDirectory /home/%u
AllowTcpForwarding no
AllowAgentForwarding no
PasswordAuthentication no
PermitRootLogin no
X11Forwarding no
And this issue repeats for other settings as well (AllowTcpForwarding, X11Forwarding, etc).
Reproduction steps
- create an ansible playbook (harden.yml):
- hosts: localhost
become: true
collections:
- devsec.hardening
roles:
- ssh_hardening- ansible-playbook harden.yml --become-method=sudo
- sudo inspec exec https://github.com/dev-sec/ssh-baseline
Current Behavior
sshd-27: Server: Disable password-based authentication
× SSHD Configuration PasswordAuthentication is expected to eq "no"
expected: "no"
got: ["no", "no"]
(compared using ==)
Expected Behavior
sshd-27: Server: Disable password-based authentication
✔ SSHD Configuration PasswordAuthentication is expected to eq "no"
maybe detect match block in addition ?
OS / Environment
Ubuntu 24.04.2
Inspec Version
6.8.24
Baseline Version
2.8.1
Additional information
No response