Feature request: Consider host entries in .ssh/config

[shoopdawoop]

It would be convenient if host entries in .ssh/config (hostname, port) could be recognised and automatically be used, so an entry like

Host staging
	PubkeyAuthentication yes
	IdentitiesOnly yes
	IdentityFile ~/.ssh/id_ed25519
	Hostname mystagingserver.domain.com
	User dummy
	Port 54321

would allow a simple

ssh-audit.py staging

instead of a

ssh-audit.py -p 54321 mystagingserver.domain.com

[jtesta]

That would be convenient. If someone was interested in writing that patch, I'd be happy to merge it!

[jugmac00]

Maybe consider a separate subcommand, e.g. ssh-audit.py check-config-host staging or ssh-audit --from-config staging or similar... (ok, I am not good at naming).

Otherwise how would you decide what ssh-audit xxx means? Is it a host or a section header for a host in a config file?

Is the location of the ssh-config file always ~.ssh/config or is it configurable?

[thecliguy]

I think this is a very good question but I'm not convinced that adding code to ssh-audit to parse and extract data from openssh config files is the right thing to do. I just feel it's not really ssh-audit's job to do this and it could be solved a different way...

What I would suggest is that you extract the data from the config file using a tool like grep or awk and then either pipe the result to ssh-audit or write the result to a text file and pass it to ssh-audit's --targets= parameter.

[shoopdawoop]

If you'd ask me I'd say it should be as simple as possible (the goal being less typing, not more), e.g. an option -h to check for hostnames in .ssh/config first, and maybe -H to specify a /path/to/a/config file.

[jugmac00]

I immediately thought on -h but this is already used for help.

[thecliguy]

@shoopdawoop Does the bash script below do what you want?

To use it:

• Save the script as scan_host_in_ssh_config.sh
• Update SSH_AUDIT_PY to point to the location of your ssh-audit.py
• Execute the script as follows: scan_host_in_ssh_config.sh staging

#!/bin/bash

# USAGE:   scan_host_in_ssh_config.sh <host>
# EXAMPLE: scan_host_in_ssh_config.sh staging

################################################################################
# How it works:
#   1. Print the host details.
#   2. Extract the hostname and port.
#   3. Select the second field.
#   4. Insert the '-p' parameter on line two.
#   5. Replace line feeds with a space.
#   6. Pass the resultant text to ssh-audit using xargs.
################################################################################

SSH_AUDIT_PY=~/ssh-audit/ssh-audit.py

ssh -G $1 | grep '^hostname \|^port ' | cut -d ' ' -f2 | sed '2 i\-p' | tr -s "\n" ' ' | xargs "$SSH_AUDIT_PY"

[shoopdawoop]

This works great and I learned a few things. Thank you!

I had to replace sed '2 i\-p' with sed '2 s/^/-p /g' on macOS because apparently BSD sed is weird and throws an extra characters after \ at the end of i command and I could not figure this one out.

This works well for me, so feel free to close.

[jugmac00]

Just as a hint... For a Python package you can specify more than one command line entry point.

Once you install the e.g. all-repos package, you have the many commands available like all-repos-grep, all-repos-find, all-repos-sed...

[thecliguy]

This works great and I learned a few things. Thank you!

I had to replace sed '2 i\-p' with sed '2 s/^/-p /g' on macOS because apparently BSD sed is weird and throws an extra characters after \ at the end of i command and I could not figure this one out.

This works well for me, so feel free to close.

You're very welcome, I'm glad it worked.

The command pipeline that I wrote could almost certainly be refined and improved so it doesn't use quite so many different tools.

The point I really wanted to illustrate is that we don't necessarily need to overcomplicate ssh-audit so it handles specific types of input because it's actually already incredibly flexible just by virtue of being a command line tool.

It's entirely up to you if you close this issue or not.

[shoopdawoop]

This "in the spirit of *nix way" is fine with me. Again, thank you!