0

We're going through a compliance audit and one of the requirements is that IgnoreRhosts is set to yes in sshd_config.

The pentest scanner has parsed the sshd_config file and determined the string doesn't exist, even though it does.

In the course of troubleshooting, I've stripped out just that line into a new file, and still can't get grep to match it for some reason

[root@xxxxx ~]# cat test
IgnoreRhosts yes
[root@xxxxx ~]# cat test | grep "^[\s]*(?i)IgnoreRhosts(?-i)[\s]+yes[\s]*$"
(nothing is returned)

Removing bits of the expression one by one still doesn't return a response until it's effectively all removed:

[root@xxxxx ~]# cat test | grep "^[\s]*(?i)IgnoreRhosts(?-i)[\s]+yes[\s]*$"
[root@xxxxx ~]# cat test | grep "^[\s]*(?i)IgnoreRhosts(?-i)[\s]"
[root@xxxxx ~]# cat test | grep "[\s]*(?i)IgnoreRhosts(?-i)[\s]"
[root@xxxxx ~]# cat test | grep "(?i)IgnoreRhosts(?-i)[\s]"
[root@xxxxx ~]# cat test | grep "(?i)IgnoreRhosts(?-i)"
[root@xxxxx ~]# cat test | grep "IgnoreRhosts"
IgnoreRhosts yes

Putting aside the SSH config part of the equation, why isn't grep matching this basic string? I've tried looking at the file with od and hexdump in case there were hidden characters, encoding problems, etc - but still cannot get grep to match that single line in an otherwise empty test file.

When I use an online regex validator, it matches immediately. Is this a bug in cat or grep perhaps? The server is running RHEL 8.6.

Deon
  • 41
  • 5
  • Use the `-P` option to enable Perl regex: `grep -P "^[\s]*(?i)IgnoreRhosts(?-i)[\s]+yes[\s]*$" test` – Paolo Apr 07 '23 at 08:31
  • @Paolo thanks, that does indeed match! Can you expand on what Perl regex is a bit and why this string doesn't match without it? Given I have to make this work with a commercial pentest scanner (which I can't edit the grep command in), I'm keen to see how I can somehow modify the file in such a way that the scanner will detect the string and pass the compliance check – Deon Apr 07 '23 at 08:32
  • 2
    There are three regex engines available in grep: BRE (you have used), ERE and Perl. Only the last supports inline modifiers (like `(?s)`). You have used same engine (pcre) at regex101. – markalex Apr 07 '23 at 09:04
  • "I'm keen to see how I can somehow modify the file in such a way that the scanner will detect the string and pass the compliance check" It depends on how your scanner detects, really. – markalex Apr 07 '23 at 09:05
  • Why don't you just `grep -i` and then get rid of the `(?i)` (which is not supported by neither BRE nor ERE) – knittl Apr 07 '23 at 09:14
  • 1
    @Paolo - why answer in a comment? – Sam Apr 07 '23 at 09:46
  • @Sam because the best answer in this case would be a grep which doesn't require a Perl regex, since that isn't necessarily available everywhere – Paolo Apr 07 '23 at 10:52
  • Tangentially see also [useless use of `cat`](https://stackoverflow.com/questions/11710552/useless-use-of-cat) – tripleee Apr 07 '23 at 10:58
  • 1
    @Paolo please don't answer in comments as then we can't up/downvote appropriately and any comments we make on it don't show up immediately under it and can't be threaded with it and so are easily missed. For example, it's not obvious from [the answer in your comment](https://stackoverflow.com/questions/75956722/grep-not-matching-string-in-file-based-on-regex#comment133970405_75956722) that you didn't think that would be the best answer and we can't attach/associate any comment to that comment indicating that for the OPs benefit and for the benefit of others reading this. – Ed Morton Apr 07 '23 at 15:46
  • @EdMorton what are you on about? you want me to answer an obvious dupe? and even if the question wasn't a dupe, I don't have to explain to you why I chose to post a comment and not an answer. My comment doesn't prevent anyone else from writing another comment or indeed answering the question. Get a grip – Paolo Apr 07 '23 at 16:15
  • 1
    @Paolo I'm not asking you to answer an obvious dupe, I'm not asking you to explain anything, and I'm not suggesting your comment stops anyone else from posting answers or comments. I'm simply asking you not to post answers in comments for the reasons I stated. – Ed Morton Apr 07 '23 at 17:19

0 Answers0