Solved sed not working

[fred974]

Hi guys,

Could you please help me to spot the problem here:

FreeBSD 10, bash script.

cd /etc/ssh
cp sshd_config sshd_config.$$

sed -i \
-e 's/PermitRootLogin *yes.*/PermitRootLogin no/' \
-e 's/UsePrivilegeSeparation *no.*/UsePrivilegeSeparation yes/' \
-e 's/StrictModes *no.*/StrictModes yes/' \
-e 's/IgnoreRhosts *no.*/IgnoreRhosts yes/' \
-e 's/PermitEmptyPasswords *yes.*/PermitEmptyPasswords no/' \
-e 's/^\(HostKey .*ssh_host_dsa_key\)/#\1/' \
sshd_config

Error message:

sed: -e: No such file or directory
sed: 1: "sshd_config": unterminated substitute pattern
sed: 1: "sshd_config": unterminated substitute pattern
sed: 1: "sshd_config": unterminated substitute pattern

 

[usdmatt]

According to the manpage, the -i option takes an argument. It appears that it's using -e as that argument, which is putting the rest of your options out of step. Try:

sed -i .bak -e ...

(If your creating sshd_config.$$ in order to have a backup before running sed, you shouldn't technically need to do that, as the whole point of the argument to -i is to provide an extension for a backup copy when editing in-place).

 

[fred974]

This is the code that I'm trying to adapt from Ubuntu to FreeBSD.

I have already make a few changes but it just won't work.

#!/bin/bash
#
# try to secure OpenSSH... a bit
#
# comotion@krutt.org

sshver=$(sshd -v 2>&1 | grep -v unknown | head -n 1)
case $sshver in
    OpenSSH_*)
        v=$(echo $sshver | cut -f 2 -d_ | cut -f 1 -d ' ')
        ;;
    *)
        v=UNKNOWN
esac

if [ "$v" = "UNKNOWN" ]
then
    echo "this script currently only supports OpenSSH. Email $sshver to comotion@krutt.org and we shall work it in" 1>&2
    exit 1
fi


cd /etc/ssh
cp sshd_config sshd_config.$$

# these are mostly supported
sed -i \
-e 's/PermitRootLogin *yes.*/PermitRootLogin no/' \
-e 's/UsePrivilegeSeparation *no.*/UsePrivilegeSeparation yes/' \
-e 's/StrictModes *no.*/StrictModes yes/' \
-e 's/IgnoreRhosts *no.*/IgnoreRhosts yes/' \
-e 's/PermitEmptyPasswords *yes.*/PermitEmptyPasswords no/' \
-e 's/^\(HostKey .*ssh_host_dsa_key\)/#\1/' \
sshd_config

# should be this but curve25519 is not supported everywhere
kexup='curve25519-sha256@libssh.org'

kex='diffie-hellman-group-exchange-sha256'

ciphers='aes256-ctr,aes192-ctr,aes128-ctr'
ciphersup='chacha20-poly1305@openssh.com'
macs='hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
macsup='hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com'
macsend='umac-128@openssh.com'




if [[ "$v" < "5.9" ]]
then
    echo "shitty old SSH $v detected, please upgrade!"
elif [[ "$v" > "6.4" ]]
then
    ciphers="$ciphersup,$ciphers"
    macs="$macsup,$macs,$macsend"
    kex="$kexup,$kex"
fi



cd /etc/ssh
if grep -q ^KexAlgorithms sshd_config
then
   sed -i "s/^KexAlgorithms .*/KexAlgorithms $kex/" sshd_config
else
    echo "KexAlgorithms $kex" >> sshd_config
fi
if grep -q ^Ciphers sshd_config
then
   sed -i "s/^Ciphers .*/Ciphers $ciphers/" sshd_config
else
    echo "Ciphers $ciphers" >> sshd_config
fi
if grep -q ^MACs sshd_config
then
   sed -i "s/^MACs .*/MACs $macs/" sshd_config
else
    echo "MACs $macs" >> sshd_config
fi

mkdir -p broken
mv ssh_host_dsa_key* ssh_host_ecdsa_key* ssh_host_key* broken
# create broken links to force SSH not to regenerate broken keys
ln -s ssh_host_ecdsa_key ssh_host_ecdsa_key
ln -s ssh_host_dsa_key ssh_host_dsa_key
ln -s ssh_host_key ssh_host_key

# remove weak moduli
[ -f broken/moduli ] || cp moduli broken
awk '{ if ($5 > 2000){ print } }' moduli > /tmp/moduli
mv /tmp/moduli moduli

if ! sshd -t
then
    echo "SSHD config failed, reverting to untouched one. Please investigate sshd_config.$$.new"
    cp sshd_config sshd_config.$$.new
    mv sshd_config.$$ sshd_config
else
    /etc/init.d/ssh reload
    echo "SSH reloaded. Please TEST your SSHD by making a new connection BEFORE disconnecting this session!" >&2
fi

echo
echo "For better client security, configure your ssh_config / .ssh/config like so:"
echo "Host *"
echo "Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512"
echo "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256"



# controversial options:
# X11Forwarding
# AllowTCPForwarding
# AllowUsers
# AllowGroups remote
# ChrootDirectory
#
# Define a remote group and use it for allowed users.

I'm not sure how to user sed -i .bak -e... here.

 

[usdmatt]

All you need to do is add .bak after the -i option in the sed command...
I'm not guaranteeing that it will completely fix the sed command or make the script run perfectly as there may be other Linux-isms, but it will hopefully fix at least one problem stopping the sed command from working.

On line ~27 of the script:

- sed -i \
+ sed -i .bak \

You'll probably also want to replace the following to allow the script to restart sshd correctly

- /etc/init.d/ssh restart
+ /etc/rc.d/sshd restart

 

[SirDice]

#!/bin/bash

This isn't going to work. FreeBSD doesn't use bash. If you install shells/bash it's going to be /usr/local/bin/bash. But you're advised to script with /bin/sh.

 

[jrm@]

The script doesn't look like it uses any bashisms, so you can simply change the first line from #!/bin/bash to #!/bin/sh. The script devel/checkbashisms could be helpful for you.

 

[fred974]

OK it look like iI've done pigs ear with my setup with this script..
How can I recreate the entire /etc/ssh directory?

 

[usdmatt]

You should have a copy of the original sshd_config in sshd_config.$$, so just copy it back. The other files it messes with should be copied to the /etc/ssh/broken/ folder, so again copy them back. Although before doing that, look for any of those files that already exist in /etc/ssh as symlinks and get rid of the symlinks first. (The script creates bad symlinks in order to stop OpenSSH from re-creating them)

To be honest I don't see the point in using the script in the first place. It's not written for FreeBSD and a few of the settings appear to be default on FreeBSD anyway. It does remove some of the moduli and keys which it claims to be weak/broken, but this is the first time I've seen something like this, and I don't exactly hear many people complaining of broken ssh security in default FreeBSD.

 

[fred974]

usdmatt iI aggree,

I will stick with the way iI know and manually do it.
I have a few jails to setup and was hoping to find a quicker solution orther [than] manually configuring it all.