Popularity

7.8

Stable

Activity

0.0

Stable

Stars 7

Watchers 18

Forks 0

Last Commit over 9 years ago

Monthly Downloads: 3

Programming language: Haskell

License: MIT License

Tags: System

sshd-lint alternatives and similar packages

Based on the "System" category.
Alternatively, view sshd-lint alternatives based on common mentions on social networks and blogs.

taffybar

9.9 9.0 sshd-lint VS taffybar

A gtk based status bar for tiling window managers such as XMonad
xmobar

9.9 8.7 sshd-lint VS xmobar

DISCONTINUED. A minimalistic status bar

CodeRabbit: AI Code Reviews for Developers

Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

Promo coderabbit.ai

bench

9.9 2.9 sshd-lint VS bench

Command-line benchmark tool
turtle

9.9 3.8 sshd-lint VS turtle

Shell programming, Haskell style
optparse-applicative

9.9 6.2 sshd-lint VS optparse-applicative

Applicative option parser
angel

9.7 0.0 sshd-lint VS angel

Process Monitoring/Management, Like Daemontools
nix-diff

9.7 6.3 sshd-lint VS nix-diff

Explain why two Nix derivations differ
date-cache

9.6 6.9 sshd-lint VS date-cache

A fast logging system for Haskell
unix

9.6 7.5 sshd-lint VS unix

POSIX functionality
process

9.6 6.8 sshd-lint VS process

Library for dealing with system processes
nix-deploy

9.5 0.0 sshd-lint VS nix-deploy

Deploy software or an entire NixOS system configuration to another NixOS system
optparse-generic

9.5 5.0 sshd-lint VS optparse-generic

Auto-generate a command-line parser for your datatype
ghc-hotswap

9.5 0.0 sshd-lint VS ghc-hotswap

DISCONTINUED. Example code for how we swap compiled code within a running Haskell process.
hapistrano

9.4 6.0 sshd-lint VS hapistrano

Deploy tool for Haskell applications, like Capistrano for Rails
directory

9.4 6.6 sshd-lint VS directory

Platform-independent library for basic file system operations
envy

9.4 3.4 sshd-lint VS envy

:angry: Environmentally friendly environment variables
typed-process

9.3 6.1 sshd-lint VS typed-process

Alternative API for processes, featuring more type safety
filepath

9.2 5.9 sshd-lint VS filepath

Haskell FilePath core library
pid1

9.2 2.6 sshd-lint VS pid1

Do signal handling and orphan reaping for Unix PID1 init processes
hnix-store-core

9.1 8.5 sshd-lint VS hnix-store-core

Haskell implementation of the Nix store
log

9.0 2.2 sshd-lint VS log

Structured logging solution.
clifm

9.0 0.0 sshd-lint VS clifm

Command Line Interface File Manager
clock

8.9 4.6 sshd-lint VS clock

High-resolution clock functions: monotonic, realtime, cputime.
hail

8.9 0.0 sshd-lint VS hail

DISCONTINUED. A service for pull-based continuous deployment based on hydra.
ekg-core

8.9 5.9 sshd-lint VS ekg-core

Library for tracking system metrics
openssh-github-keys

8.9 0.0 sshd-lint VS openssh-github-keys

DISCONTINUED. DEPRECATED: Control SSH access to your servers via GitHub teams
logsink

8.7 0.0 sshd-lint VS logsink

A logging framework for Haskell
monky

8.7 0.0 sshd-lint VS monky

The main repository for monky
ekg-cloudwatch

8.7 0.0 sshd-lint VS ekg-cloudwatch

CloudWatch stats for ekg
system-fileio

8.6 6.2 sshd-lint VS system-fileio

Contains the system-filepath and system-fileio packages
apotiki

8.6 0.0 sshd-lint VS apotiki

DISCONTINUED. a faster debian repository
hobbes

8.6 0.0 sshd-lint VS hobbes

A cross-platform file activity monitor
hinotify

8.5 7.1 sshd-lint VS hinotify

Haskell binding to inotify
atomic-write

8.5 5.0 sshd-lint VS atomic-write

Writes files atomically in Haskell while preserving permissions
plugins

8.5 0.0 sshd-lint VS plugins

Dynamic linking and runtime evaluation of Haskell, and C, including dependency chasing and package resolution.
unix-compat

8.5 0.0 sshd-lint VS unix-compat

Haskell portable POSIX-compatibility layer
logger

8.5 0.0 sshd-lint VS logger

Fast & extensible logging framework for Haskell!
cef

8.5 0.0 sshd-lint VS cef

A Haskell library for CEF (Commont Event Format)
twitch

8.4 3.8 sshd-lint VS twitch

A high level file watcher DSL
language-puppet

8.4 5.7 sshd-lint VS language-puppet

A library to work with Puppet manifests, test them and eventually replace everything ruby.
ascii-progress

8.4 0.0 sshd-lint VS ascii-progress

A simple Haskell progress bar for the console. Heavily borrows from TJ Holowaychuk's Node.JS project
optparse-declarative

8.4 3.2 sshd-lint VS optparse-declarative

Declarative command-line option parser
ekg-statsd

8.3 4.6 sshd-lint VS ekg-statsd

Flush system metrics to statsd
HFuse

8.3 3.1 sshd-lint VS HFuse

Haskell bindings for the FUSE library
which

8.3 5.0 sshd-lint VS which

Determine the full path to an executable.
nix-derivation

8.2 2.8 sshd-lint VS nix-derivation

Parse and render *.drv files
executable-hash

8.2 0.0 sshd-lint VS executable-hash

Provides the SHA1 hash of the program executable
halfs

8.2 0.0 sshd-lint VS halfs

The Haskell File System: A file system implementation in Haskell
splitmix

8.2 4.1 sshd-lint VS splitmix

Pure Haskell implementation of SplitMix pseudo-random number generator
hen

8.1 0.0 sshd-lint VS hen

Haskell bindings to Xen hypervisor interface

Do you think we are missing an alternative of sshd-lint or a related project?

Add another 'System' Package

Popular Comparisons

README

sshd-lint

The ssh daemon is the front door to your server. It's unfortunate that the parser for sshd_config file is unhelpful in detecting incorrectly-entered configuration options or settings that may leave your system open to attackers. sshd-lint checks a sshd_config file for adherence to security best practices. It warns about repeated configuration lines, contradictory settings in the same file, and settings that don't adhere to best practices.

It can be run from the command line to show suggestions for your sshd_config file, or an option can be provided to emit nagios-compatible output so that any changes deviating from best practices will be detected by a monitoring system.

Wat? Weird things happen in ssh config file parsing.

Like in JavaScript, trying to understand how sshd reads your configuration file leads to several "Wat?" moments.

Wat #1 - Earliest option wins for some settings

sshd has two checking modes, -t and -T. Neither one alerts if config directives are repeated, regardless of whether the value being assigned is the same or different.

If you have two different values for some config file value, the first one takes effect (wat?). So the following allows cleartext passwords, but putting the directives in the other order turns off cleartext passwords. Again, there is no warning nor error from sshd abouth the duplicate lines.

PasswordAuthentication yes
PasswordAuthentication no

sshd-lint takes the weird sshd parsing into account and makes sure that settings adhere to best practices. It also lets you know if there are duplicated lines which may lead to unexpected behavior from the SSH daemon.

Wat #2 - No warning for contradictory settings

sshd allows contradictory settings. Fortunately, for certain options like AllowUser, AllowGroup, DenyUser and DenyGroup, the most restrictive option takes effect. Still, it's a bit unexpected that if you add user 'joe' to both AllowUser and DenyUser, joe is Denied without any warning that you told sshd to use contradictory settings.

sshd-lint considers contradictory settings to be an error.

Installation

If you don't have the Haskell platform installed, you'll need to install it. On Ubuntu, apt-get install haskell-platform. On Mac OS, you can install haskell-platform with homebrew or from the pkg file.

Then, install sshd-lint from Hackage.

To install sshd-lint in your ~/.cabal/bin directory:

cabal update && cabal install sshd-lint

This will install sshd-lint in your ~/.cabal/bin, which you should add to your PATH. Alternatively you can install in /usr/local/bin by using the --global option on cabal install.

Usage

Invoking sshd-lint without any arguments defaults to checking /etc/ssh/sshd_config, which should be present on most systems running OpenSSH. You can run sshd_lint on any configuration file by specifying it after the -f argument, eg:

sshd-lint -f /tmp/new_sshd_config

sshd_lint supports a Nagios output mode, which can be enabled with the -n flag.

Other options can be seen by invoking sshd_lint with the -h flag.

sshd-lint's Best Practices

There should be no duplicate lines present in the ssh config file (with the exception of the HostKey configuration option, which we ignore). Currently the following settings are considered best practices by sshd-lint.

PermitEmptyPasswords no
PasswordAuthentication no
HostbasedAuthentication no
PermitRootLogin no
IgnoreRhosts yes
Protocol 2
StrictModes yes
UsePrivilegeSeparation yes

Output

If sshd-lint has any suggestions they will be printed to standard output. The return value of the program will be 1 if there are suggestions.

The output of sshd-lint will be "No suggestions" if there are no suggestions, and the return value will be 0.

The format of sshd-lint may change while the project is still young, so it is suggested that scripts using sshd-lint depend on the return value, but not necessarily the exact formatting of output until the project matures.

Author

Justin Leitgeb

License

MIT

Copyright

*Note that all licence references and agreements mentioned in the sshd-lint README section above are relevant to that project's source code only.

sshd-lint

Checks a sshd_config file for adherence to security best practices

sshd-lint alternatives and similar packages

Popular Comparisons

README

sshd-lint

Wat? Weird things happen in ssh config file parsing.

Wat #1 - Earliest option wins for some settings

Wat #2 - No warning for contradictory settings

Installation

Usage

sshd-lint's Best Practices

Output

Other Reading

Author

License

Copyright