sshd - SSH daemon

The SSH daemon, sshd, provides secure, encrypted access to Linux servers.

Overview

The STIG has several requirements for ssh server configuration and these requirements are applied by default by the role. To opt-out or change these requirements, see the section under the ## ssh server (sshd) comment in defaults/main.yml.

Deviation for PermitRootLogin

There is one deviation from the STIG for the PermitRootLogin configuration option. The STIG requires that direct root logins are disabled, and this is the recommended setting for secure production environments.

However, this can cause problems in some existing environments and the default for the role is to set it to yes (direct root logins allowed).

STIG requirements

All of the tasks for these STIG requirements are included in tasks/rhel7stig/sshd.yml.

V-71939

  • Summary: The SSH daemon must not allow authentication using an empty password.

  • Severity: High

  • Implementation Status: Implemented

Deployer/Auditor notes

The PermitEmptyPasswords configuration will be set to no in /etc/ssh/sshd_config and sshd will be restarted. This disallows logins over ssh for users with a empty or null password set.

Deployers can opt-out of this change by setting the following Ansible variable:

security_sshd_disallow_empty_password: no

V-71957

  • Summary: The operating system must not allow users to override SSH environment variables.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The PermitUserEnvironment configuration is set to no in /etc/ssh/sshd_config and sshd is restarted.

Deployers can opt out of this change by setting the following Ansible variable:

security_sshd_disallow_environment_override: no

V-71959

  • Summary: The operating system must not allow a non-certificate trusted host SSH logon to the system.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The HostbasedAuthentication configuration is set to no in /etc/ssh/sshd_config and sshd is restarted.

Deployers can opt out of this change by setting the following Ansible variable:

security_sshd_disallow_host_based_auth: no

V-72221

  • Summary: A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The Ciphers configuration is set to aes128-ctr,aes192-ctr,aes256-ctr in /etc/ssh/sshd_config and sshd is restarted.

Deployers can change the list of ciphers by setting the following Ansible variable:

security_sshd_cipher_list: 'cipher1,cipher2,cipher3'

V-72225

  • Summary: The Standard Mandatory DoD Notice and Consent Banner must be displayed immediately prior to, or as part of, remote access logon prompts.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in the security role deploy a standard notice and consent banner into /etc/motd on each server. Ubuntu, CentOS, Red Hat Enterprise Linux, openSUSE Leap and SUSE Linux Enterprise display this banner after each successful login via ssh or the console.

Deployers can choose a different destination for the banner by setting the following Ansible variable:

security_sshd_banner_file: /etc/motd

The message is customized with the following Ansible variable:

security_login_banner_text: |
  ------------------------------------------------------------------------------
  * WARNING                                                                    *
  * You are accessing a secured system and your actions will be logged along   *
  * with identifying information. Disconnect immediately if you are not an     *
  * authorized user of this system.                                            *
  ------------------------------------------------------------------------------

V-72235

  • Summary: All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The STIG has a requirement that the sshd daemon is running and enabled at boot time. The tasks in the security role ensure that these requirements are met.

Some deployers may not have sshd enabled on highly specialized systems and those deployers should opt out of this change by setting the following Ansible variable:

security_enable_sshd: no

Note

Setting security_enable_sshd to no causes the tasks to ignore the state of the service entirely. A setting of no does not stop or alter the sshd service.

V-72237

  • Summary: All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The ClientAliveInterval configuration is set to 600 in /etc/ssh/sshd_config and sshd is restarted.

Deployers can adjust the length of the interval by changing the following Ansible variable:

security_sshd_client_alive_interval: 600

Note

The STIG requires that ClientAliveInterval is set to 600 and ClientAliveCountMax is set to zero, which sets a 10 minute session timeout. If no data is transferred in a 10 minute period, the session is disconnected.

The ClientAliveInterval specifies how long the ssh daemon waits before it sends a message to the client to see if it is still alive. The ClientAliveCountMax specifies how many of these messages are sent without receiving a response.

Deployers should refer to All network connections associated with SSH traffic must terminate after a period of inactivity. (V-72241) to customize the ClientAliveCountMax setting.

V-72239

  • Summary: The SSH daemon must not allow authentication using RSA rhosts authentication.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

This STIG is already applied by the changes for The SSH daemon must not allow authentication using known hosts authentication. (V-72249).

V-72241

  • Summary: All network connections associated with SSH traffic must terminate after a period of inactivity.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The ClientAliveCountMax configuration is set to 0 in /etc/ssh/sshd_config and sshd is restarted.

Deployers can adjust the maximum amount of client alive intervals by changing the following Ansible variable.

security_sshd_client_alive_count_max: 0

Note

The STIG requires that ClientAliveInterval is set to 600 and ClientAliveCountMax is set to zero, which sets a 10 minute session timeout. If no data is transferred in a 10 minute period, the session is disconnected.

The ClientAliveInterval specifies how long the ssh daemon waits before it sends a message to the client to see if it is still alive. The ClientAliveCountMax specifies how many of these messages are sent without receiving a response.

Deployers should refer to All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. (V-72237) to customize the ClientAliveInterval setting.

V-72243

  • Summary: The SSH daemon must not allow authentication using rhosts authentication.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The IgnoreRhosts configuration is set to yes in /etc/ssh/sshd_config and sshd is restarted.

Deployers can opt out of this change by setting the following Ansible variable:

security_sshd_disallow_rhosts_auth: no

V-72245

  • Summary: The system must display the date and time of the last successful account logon upon an SSH logon.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The PrintLastLog configuration is set to yes in /etc/ssh/sshd_config and sshd is restarted.

Deployers can opt out of this change by setting the following Ansible variable:

security_sshd_print_last_log: no

V-72247

  • Summary: The system must not permit direct logons to the root account using remote access via SSH.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The PermitRootLogin configuration is set to no in /etc/ssh/sshd_config and sshd is restarted.

Deployers can select another setting for PermitRootLogin, from the available options without-password, prohibit-password, forced-commands-only, yes, or no by setting the following variable:

security_sshd_permit_root_login: no

Warning

Ensure that a regular user account exists with a pathway to root access (preferably via sudo) before applying the security role. This configuration change disallows any direct logins with the root user.

V-72249

  • Summary: The SSH daemon must not allow authentication using known hosts authentication.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The IgnoreUserKnownHosts configuration is set to yes in /etc/ssh/sshd_config and sshd is restarted.

Deployers can opt out of this change by setting the following Ansible variable:

security_sshd_disallow_known_hosts_auth: no

V-72251

  • Summary: The SSH daemon must be configured to only use the SSHv2 protocol.

  • Severity: High

  • Implementation Status: Implemented

Deployer/Auditor notes

The Protocol configuration is set to 2 in /etc/ssh/sshd_config and sshd is restarted.

Deployers can opt out of this change by setting the following Ansible variable:

security_sshd_protocol: 2

Warning

There is no reason to enable any other protocol than SSHv2. SSHv1 has multiple vulnerabilities, and it is no longer widely used.

V-72253

  • Summary: The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The MACs configuration is set to hmac-sha2-256,hmac-sha2-512 in /etc/ssh/sshd_config and sshd is restarted.

Deployers can adjust the allowed Message Authentication Codes (MACs) by setting the following Ansible variable:

security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512'

V-72255

  • Summary: The SSH public host key files must have mode 0644 or less permissive.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The permissions on ssh public host keys is set to 0644. If the existing permissions are more restrictive than 0644, the tasks do not make changes to the files.

V-72257

  • Summary: The SSH private host key files must have mode 0600 or less permissive.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The permissions on ssh private host keys is set to 0600. If the existing permissions are more restrictive than 0600, the tasks do not make changes to the files.

V-72259

  • Summary: The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The GSSAPIAuthentication setting is set to no to meet the requirements of the STIG.

Deployers can opt out of this change by setting the following Ansible variable:

security_sshd_disallow_gssapi: no

V-72261

  • Summary: The SSH daemon must not permit Kerberos authentication unless needed.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The KerberosAuthentication configuration is set to no in /etc/ssh/sshd_config and sshd is restarted.

Deployers can opt out of this change by setting the following Ansible variable:

security_sshd_disable_kerberos_auth: no

V-72263

  • Summary: The SSH daemon must perform strict mode checking of home directory configuration files.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The StrictModes configuration is set to yes in /etc/ssh/sshd_config and sshd is restarted.

Deployers can opt out of this change by setting the following Ansible variable:

security_sshd_enable_strict_modes: no

V-72265

  • Summary: The SSH daemon must use privilege separation.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The UsePrivilegeSeparation configuration is set to sandbox in /etc/ssh/sshd_config and sshd is restarted.

Deployers can opt out of this change by setting the following Ansible variable:

security_sshd_enable_privilege_separation: no

Note

Although the STIG requires this setting to be yes, the sandbox setting actually provides more security because it enables privilege separation during the early authentication process.

V-72267

  • Summary: The SSH daemon must not allow compression or must only allow compression after successful authentication.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The Compression configuration is set to delayed in /etc/ssh/sshd_config and sshd is restarted.

Deployers can choose another option by setting the following Ansible variable:

security_sshd_compression: 'no'

Note

The following are the available settings for Compression in the ssh configuration file:

  • delayed: Compression is enabled after authentication.

  • no: Compression is disabled.

  • yes: Compression is enabled during authentication and during the session (not allowed by the STIG).

The delayed option balances security with performance and is an approved option in the STIG.

V-72289

  • Summary: The system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

This control is implemented by the tasks for another control:

V-72303

  • Summary: Remote X connections for interactive users must be encrypted.

  • Severity: High

  • Implementation Status: Implemented

Deployer/Auditor notes

The X11Forwarding configuration is set to yes in /etc/ssh/sshd_config and sshd is restarted.

Deployers can opt out of this change by setting the following Ansible variable:

security_sshd_enable_x11_forwarding: no