Information
This sequence describes configuring the SSH server keys.
An SSH server key, also known as a host key, is a cryptographic key that identifies an SSH server to a client. It's generated when the SSH server is enabled and acts as a digital fingerprint, ensuring the server's identity during the connection process.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To set ssh server key:
switch(config)# ssh host-key <key-type> <curve/bits>
To set a nistp256 ecdsa server-key:
switch(config)# ssh host-key ecdsa ecdsa-sha2-nistp256
ecdsa host-key will be overwritten.
Do you want to continue (y/n)? y
switch(config)#
to set an ed25519 server-key:
switch(config)# ssh host-key ed25519
ed25519 host-key will be overwritten.
Do you want to continue (y/n)? y
switch(config)#
To set a 256-bit RSA server-key:
switch(config)# ssh host-key rsa bits 2048
rsa host-key will be overwritten.
Do you want to continue (y/n)? y
switch(config)#
Impact:
Weak SSH host keys create significant security risks by making systems vulnerable to attack. Attackers can exploit weak keys to intercept or manipulate communications, steal sensitive data, or even gain unauthorized access to the server. Among the risks associated with weak SSH-server keys are:
- Man in the middle (MITM) attacks
- Server identity spoofing
- Key theft and impersonation
- Unauthorized access
- Compromised user credentials
- Compliance issues
To mitigate these risks it is important to:
- Generate Strong Keys
- Use strong cryptographic algorithms and key lengths when generating SSH host keys
- Rotate Keys Regularly
- Use a Key Management System
- Monitor SSH Connections
- Disable Weak Algorithms
Item Details
Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SA-15, 800-53|SC-8, 800-53|SC-8(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4, CSCv7|16.5, CSCv7|18.5
Control ID: 5bf2c6927ba1001f5a4b02cb2263e93e2f61c23af16d29a2d17b24984c6fd808