From 20fbb706b0a79478749a53ab1964ab18f6bb0a99 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Fri, 16 Feb 2024 22:40:53 -0500 Subject: [PATCH] The built-in man page (, ) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build. (#231) --- Makefile.docker | 1 + Makefile.pypi | 1 + README.md | 1 + ...ows_man_page.sh => add_builtin_man_page.sh | 23 +++++++++--------- build_snap.sh | 5 +++- build_windows_executable.sh | 4 ++-- src/ssh_audit/globals.py | 4 ++-- src/ssh_audit/ssh_audit.py | 24 +++++++++---------- ssh-audit.1 | 4 ++-- 9 files changed, 35 insertions(+), 32 deletions(-) rename update_windows_man_page.sh => add_builtin_man_page.sh (85%) diff --git a/Makefile.docker b/Makefile.docker index 1b2b51c..ac3542d 100644 --- a/Makefile.docker +++ b/Makefile.docker @@ -4,6 +4,7 @@ ifeq ($(VERSION),) endif all: + ./add_builtin_man_page.sh docker buildx create --name multiarch --use || exit 0 docker buildx build \ --platform linux/amd64,linux/arm64,linux/arm/v7 \ diff --git a/Makefile.pypi b/Makefile.pypi index 56bb404..46da207 100644 --- a/Makefile.pypi +++ b/Makefile.pypi @@ -1,4 +1,5 @@ all: + ./add_builtin_man_page.sh rm -rf /tmp/pypi_upload virtualenv -p /usr/bin/python3 /tmp/pypi_upload/ cp -R src /tmp/pypi_upload/ diff --git a/README.md b/README.md index 1365fdd..88907b6 100644 --- a/README.md +++ b/README.md @@ -182,6 +182,7 @@ For convenience, a web front-end on top of the command-line tool is available at - Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. It now includes more rarely found ciphers. - Color output is disabled if the `NO_COLOR` environment variable is set (see https://no-color.org/). - Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are. + - The built-in man page (`-m`, `--manual`) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build. ### v3.1.0 (2023-12-20) - Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)). diff --git a/update_windows_man_page.sh b/add_builtin_man_page.sh similarity index 85% rename from update_windows_man_page.sh rename to add_builtin_man_page.sh index 73d008a..0c0a9a5 100755 --- a/update_windows_man_page.sh +++ b/add_builtin_man_page.sh @@ -3,7 +3,7 @@ # # The MIT License (MIT) # -# Copyright (C) 2021 Joe Testa (jtesta@positronsecurity.com) +# Copyright (C) 2021-2024 Joe Testa (jtesta@positronsecurity.com) # Copyright (C) 2021 Adam Russell () # # Permission is hereby granted, free of charge, to any person obtaining a copy @@ -26,22 +26,21 @@ # ################################################################################ -# update_windows_man_page.sh +# add_builtin_man_page.sh # # PURPOSE -# Since Windows lacks a manual reader it's necessary to provide an alternative -# means of reading the man page. +# Since some platforms lack a manual reader it's necessary to provide an +# alternative means of reading the man page. # # This script should be run as part of the ssh-audit packaging process for -# Windows. It populates the 'WINDOWS_MAN_PAGE' variable in 'globals.py' with -# the contents of the man page. Windows users can then print the content of -# 'WINDOWS_MAN_PAGE' by invoking ssh-audit with the manual parameters -# (--manual / -m). +# Docker, PyPI, Snap, and Windows. It populates the 'BUILTIN_MAN_PAGE' +# variable in 'globals.py' with the contents of the man page. Users can then +# see the man page with "ssh-audit [--manual|-m]". # -# Cygwin is required. +# Linux or Cygwin is required to run this script. # # USAGE -# update_windows_man_page.sh [-m ] [-g ] +# add_builtin_man_page.sh [-m ] [-g ] # ################################################################################ @@ -102,7 +101,7 @@ command -v sed >/dev/null 2>&1 || { echo >&2 "sed not found."; exit 1; } git checkout "${GLOBALS_PY}" > /dev/null 2>&1 # Remove the Windows man page placeholder from 'globals.py'. -sed -i '/^WINDOWS_MAN_PAGE/d' "${GLOBALS_PY}" +sed -i '/^BUILTIN_MAN_PAGE/d' "${GLOBALS_PY}" echo "Processing man page at ${MAN_PAGE} and placing output into ${GLOBALS_PY}..." @@ -116,7 +115,7 @@ echo "Processing man page at ${MAN_PAGE} and placing output into ${GLOBALS_PY}.. # escape sequence. Not required under Cygwin because man outputs ANSI escape # codes automatically. -echo WINDOWS_MAN_PAGE = '"""' >> "${GLOBALS_PY}" +echo BUILTIN_MAN_PAGE = '"""' >> "${GLOBALS_PY}" if [[ "${PLATFORM}" == CYGWIN* ]]; then MANWIDTH=80 MAN_KEEP_FORMATTING=1 man "${MAN_PAGE}" | sed $'s/\u2010/-/g' >> "${GLOBALS_PY}" diff --git a/build_snap.sh b/build_snap.sh index ff6bd7c..49efa0b 100755 --- a/build_snap.sh +++ b/build_snap.sh @@ -3,7 +3,7 @@ # # The MIT License (MIT) # -# Copyright (C) 2021 Joe Testa (jtesta@positronsecurity.com) +# Copyright (C) 2021-2024 Joe Testa (jtesta@positronsecurity.com) # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal @@ -44,6 +44,9 @@ rm -rf parts/ prime/ snap/ stage/ build/ dist/ src/*.egg-info/ ssh-audit*.snap git checkout snapcraft.yaml 2> /dev/null git checkout src/ssh_audit/globals.py 2> /dev/null +# Add the built-in manual page. +./add_builtin_man_page.sh + # Get the version from the globals.py file. version=$(grep VERSION src/ssh_audit/globals.py | awk 'BEGIN {FS="="} ; {print $2}' | tr -d '[:space:]') diff --git a/build_windows_executable.sh b/build_windows_executable.sh index 88f21b9..d8318cc 100755 --- a/build_windows_executable.sh +++ b/build_windows_executable.sh @@ -3,7 +3,7 @@ # # The MIT License (MIT) # -# Copyright (C) 2021 Joe Testa (jtesta@positronsecurity.com) +# Copyright (C) 2021-2024 Joe Testa (jtesta@positronsecurity.com) # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal @@ -77,7 +77,7 @@ fi git checkout src/ssh_audit/globals.py 2> /dev/null # Update the man page. -./update_windows_man_page.sh +./add_builtin_man_page.sh retval=$? if [[ ${retval} != 0 ]]; then echo "Failed to run ./update_windows_man_page.sh" diff --git a/src/ssh_audit/globals.py b/src/ssh_audit/globals.py index ee952c4..d83c54e 100644 --- a/src/ssh_audit/globals.py +++ b/src/ssh_audit/globals.py @@ -30,8 +30,8 @@ SSH_HEADER = 'SSH-{0}-OpenSSH_8.2' # The URL to the Github issues tracker. GITHUB_ISSUES_URL = 'https://github.com/jtesta/ssh-audit/issues' -# The man page. Only filled in on Windows systems. -WINDOWS_MAN_PAGE = '' +# The man page. Only filled in on Docker, PyPI, Snap, and Windows builds. +BUILTIN_MAN_PAGE = '' # True when installed from a Snap package, otherwise False. SNAP_PACKAGE = False diff --git a/src/ssh_audit/ssh_audit.py b/src/ssh_audit/ssh_audit.py index 6c6daee..fcfd34f 100755 --- a/src/ssh_audit/ssh_audit.py +++ b/src/ssh_audit/ssh_audit.py @@ -39,7 +39,7 @@ from typing import cast, Callable, Optional, Union, Any # noqa: F401 from ssh_audit.globals import SNAP_PACKAGE from ssh_audit.globals import SNAP_PERMISSIONS_ERROR from ssh_audit.globals import VERSION -from ssh_audit.globals import WINDOWS_MAN_PAGE +from ssh_audit.globals import BUILTIN_MAN_PAGE from ssh_audit.algorithm import Algorithm from ssh_audit.algorithms import Algorithms from ssh_audit.auditconf import AuditConf @@ -1416,23 +1416,21 @@ def target_worker_thread(host: str, port: int, shared_aconf: AuditConf) -> Tuple return ret, string_output -def windows_manual(out: OutputBuffer) -> int: - '''Prints the man page on Windows. Returns an exitcodes.* flag.''' +def builtin_manual(out: OutputBuffer) -> int: + '''Prints the man page (Docker, PyPI, Snap, and Windows builds only). Returns an exitcodes.* flag.''' - retval = exitcodes.GOOD - if sys.platform != 'win32': - out.fail("The '-m' and '--manual' parameters are reserved for use on Windows only.\nUsers of other operating systems should read the man page.") - retval = exitcodes.FAILURE - return retval + builtin_man_page = BUILTIN_MAN_PAGE + if builtin_man_page == "": + out.fail("The '-m' and '--manual' parameters are reserved for use in Docker, PyPI, Snap,\nand Windows builds only. Users of other platforms should read the system man\npage.") + return exitcodes.FAILURE # If colors are disabled, strip the ANSI color codes from the man page. - windows_man_page = WINDOWS_MAN_PAGE if not out.use_colors: - windows_man_page = re.sub(r'\x1b\[\d+?m', '', windows_man_page) + builtin_man_page = re.sub(r'\x1b\[\d+?m', '', builtin_man_page) - out.info(windows_man_page) - return retval + out.info(builtin_man_page) + return exitcodes.GOOD def get_permitted_syntax_for_gex_test() -> Dict[str, str]: @@ -1526,7 +1524,7 @@ def main() -> int: # to output a plain text version of the man page. if (sys.platform == 'win32') and ('colorama' not in sys.modules): out.use_colors = False - retval = windows_manual(out) + retval = builtin_manual(out) out.write() sys.exit(retval) diff --git a/ssh-audit.1 b/ssh-audit.1 index 8617d49..8ae8002 100644 --- a/ssh-audit.1 +++ b/ssh-audit.1 @@ -1,4 +1,4 @@ -.TH SSH-AUDIT 1 "January 28, 2024" +.TH SSH-AUDIT 1 "February 16, 2024" .SH NAME \fBssh-audit\fP \- SSH server & client configuration auditor .SH SYNOPSIS @@ -104,7 +104,7 @@ Look up the security information of an algorithm(s) in the internal database. D .TP .B -m, \-\-manual .br -Print the man page (Windows only). +Print the man page (Docker, PyPI, Snap, and Windows builds only). .TP .B -M, \-\-make-policy=