Detections
Analytics

5.3.29 Ensure SSH Protocol is set to 2

Information

The Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.

SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.

Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227

Solution

Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows:

Protocol 2

The SSH service must be restarted for changes to take effect

See Also

https://workbench.cisecurity.org/benchmarks/8415

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-6b., 800-53|IA-5, 800-53|IA-5(1), CAT|I, CCI|CCI-000197, CCI|CCI-000366, CSCv6|3.4, CSCv7|4.5, CSCv7|14.4, Rule-ID|SV-204594r603261_rule, STIG-ID|RHEL-07-040390, Vuln-ID|V-204594

Plugin: Unix

Control ID: 3daa0cf5c86e87bb9541c4a448e35ea4bb11bb238c2636eee40288785de3f917