Detections
Analytics

5.2.2 Ensure access to SSH private host key files is configured

Information

An SSH private key is one of two files used in SSH public key authentication. In this authentication method, the possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed.

If an unauthorized user obtains the private SSH host key file, the host could be impersonated

Solution

Update the access to the private keys being used by the open SSH server.

 - Mode 0640, owned by the user root and group owned by the group ssh_keys.

- OR -

 - Mode 0600, owned by the user root and group owned by the group root.

Run the following script to update the access on the private keys used by the open SSH server:

#!/usr/bin/env bash

{
 l_sshd_cmd="$(readlink -e /usr/sbin/sshd || readlink -e /sbin/sshd)"
 l_keygen="$(readlink -e /usr/bin/ssh-keygen || readlink -e /bin/ssh-keygen)"
 if grep -Psoq -- '^ssh_keys\b' /etc/group; then
 l_group="ssh_keys";l_mode="u-x,g-wx,o-rwx"
 else
 l_group="root";l_mode="u-x,go-rwx"
 fi
 while IFS= read -r l_file; do
 if "$l_keygen" -lf &>/dev/null "$l_file"; then
 chown root:"$l_group" "$l_file"
 chmod "$l_mode" "$l_file"
 done < <("$l_sshd_cmd" -T | awk '$1=="hostkey" {print $2".pub"}' 2>/dev/null)
}

Impact:

If the private keys used by the openSSH server have the incorrect mode, owner, or group owner the server service may not start.

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CCI|CCI-000366, CSCv7|14.6, Rule-ID|SV-230287r1017098_rule, Rule-ID|SV-235009r991589_rule, Rule-ID|SV-258000r1045063_rule, Rule-ID|SV-269265r1050147_rule

Plugin: Unix

Control ID: e7201caf5b25ec4b930b0b3e10aad43f96fb6317b668335e8c5d4151e77e443c