sed in a bash script: backslash escape anything that looks suspicious
Posted by jpluimers on 2019/02/26
Did I ever tell I dislike regular expressions and old-skool shells?
They’re not good for anything but basic commands, so if you try any scripts in them, you’re basically lost.
If you disagree, please read [WayBack] Don’t write Shell scripts. I would recommend Python, but I tried “pip search mysql”…. – Kristian Köhntopp – Google+) and [WayBack] How did this shit ever work? by the same author.
On the other hand: on many system, the baseline isn’t much more than a shell and a very limited tool set.
With nx like systems that usually comes down to sed and a shell like bash.
Since I wanted to modify an openssh hardening script to cover more permutations that was using sed in a bash script, I had not much choice but to bite the bullet.
TL;DR:
When you use any of the below characters, prepend them with a backslash as they have a bash meaning in addition to a sed meaning.
?becomes\?(becomes\()becomes\)|becomes\|
The script
Hopefully by now it’s [Archive.is] been merged into https://github.com/comotion/gone/blob/github/modules/ssh. If not, it’s at https://github.com/jpluimers/gone/blob/jpluimers-ssh-hardening-patch/modules/ssh.
The diff: [Archive.is] https://github.com/jpluimers/gone/commit/329bf12a320704080e68eee90f4c099e92d8388d?diff=unified
The relevant portion (which also uses backslashes as line continuation and wrap a command over multiple lines [WayBack]):
sed -i \ -e 's/#\?MaxAuthTries *[0-9]*.*/MaxAuthTries 2/' \ -e 's/#\?PermitRootLogin *\(yes\|no\).*/PermitRootLogin no/' \ -e 's/#\?UsePrivilegeSeparation *\(yes\|no\|sandbox\).*/UsePrivilegeSeparation sandbox/' \ -e 's/#\?StrictModes *\(yes\|no\).*/StrictModes yes/' \ -e 's/#\?IgnoreRhosts *\(yes\|no\).*/IgnoreRhosts yes/' \ -e 's/#\?PermitEmptyPasswords *\(yes\|no\).*/PermitEmptyPasswords no/' \ -e 's/#\?ChallengeResponseAuthentication *\(yes\|no\).*/ChallengeResponseAuthentication yes/' \ -e 's/#\?KerberosAuthentication *\(yes\|no\).*/KerberosAuthentication no/' \ -e 's/#\?GSSAPIAuthentication *\(yes\|no\).*/GSSAPIAuthentication no/' \ -e 's/#\?GatewayPorts *\(yes\|no\).*/GatewayPorts no/' \ -e 's/#\?X11Forwarding *\(yes\|no\).*/X11Forwarding no/' \ -e 's/#\?PrintMotd *\(yes\|no\).*/PrintMotd no/' \ -e 's/#\?PrintLastLog *\(yes\|no\).*/PrintLastLog yes/' \ -e 's/#\?TCPKeepAlive *\(yes\|no\).*/TCPKeepAlive no/' \ -e 's/#\?PermitUserEnvironment *\(yes\|no\).*/PermitUserEnvironment no/' \ -e 's/^\(HostKey .*ssh_host_dsa_key\)/#\1/' \ sshd_config
More on sshd hardening
In case I have to revisit the script again, here are some more links on ssh and hardening from my blog posts:
- More secure SSH: hardening both client and server. And use Tor
- openSUSE – Review of the week 2018/03 – Dominique a.k.a. DimStar (Dim*) – be sure to review your openssh config!
- OpenSSH keygen guidelines
- Hardening: sshd_config – How to configure the OpenSSH server | SSH.COM
- Good read for starting to intermediate ssh users is “SSH Essentials: Working with SSH Servers, Clients, and Keys | DigitalOcean” and pointers to more advanced reading material
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply