sshd - SSH daemon¶
The SSH daemon, sshd
, provides secure, encrypted access to Linux servers.
Overview¶
The STIG has several requirements for ssh server configuration and these
requirements are applied by default by the role. To opt-out or change these
requirements, see the section under the ## ssh server (sshd)
comment in
defaults/main.yml
.
- Deviation for PermitRootLogin
There is one deviation from the STIG for the
PermitRootLogin
configuration option. The STIG requires that direct root logins are disabled, and this is the recommended setting for secure production environments.However, this can cause problems in some existing environments and the default for the role is to set it to
yes
(direct root logins allowed).
STIG requirements¶
All of the tasks for these STIG requirements are included in
tasks/rhel7stig/sshd.yml
.
V-71939¶
Summary: The SSH daemon must not allow authentication using an empty password.
Severity: High
Implementation Status: Implemented
Deployer/Auditor notes¶
The PermitEmptyPasswords
configuration will be set to no
in
/etc/ssh/sshd_config
and sshd will be restarted. This disallows logins over
ssh for users with a empty or null password set.
Deployers can opt-out of this change by setting the following Ansible variable:
security_sshd_disallow_empty_password: no
V-71957¶
Summary: The operating system must not allow users to override SSH environment variables.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The PermitUserEnvironment
configuration is set to no
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_disallow_environment_override: no
V-71959¶
Summary: The operating system must not allow a non-certificate trusted host SSH logon to the system.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The HostbasedAuthentication
configuration is set to no
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_disallow_host_based_auth: no
V-72221¶
Summary: A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The Ciphers
configuration is set to aes128-ctr,aes192-ctr,aes256-ctr
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can change the list of ciphers by setting the following Ansible variable:
security_sshd_cipher_list: 'cipher1,cipher2,cipher3'
V-72225¶
Summary: The Standard Mandatory DoD Notice and Consent Banner must be displayed immediately prior to, or as part of, remote access logon prompts.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The tasks in the security role deploy a standard notice and consent banner into
/etc/motd
on each server. Ubuntu, CentOS, Red Hat Enterprise Linux,
openSUSE Leap and SUSE Linux Enterprise display this banner after each successful
login via ssh or the console.
Deployers can choose a different destination for the banner by setting the following Ansible variable:
security_sshd_banner_file: /etc/motd
The message is customized with the following Ansible variable:
security_login_banner_text: |
------------------------------------------------------------------------------
* WARNING *
* You are accessing a secured system and your actions will be logged along *
* with identifying information. Disconnect immediately if you are not an *
* authorized user of this system. *
------------------------------------------------------------------------------
V-72235¶
Summary: All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The STIG has a requirement that the sshd
daemon is running and enabled at
boot time. The tasks in the security role ensure that these requirements are
met.
Some deployers may not have sshd
enabled on highly specialized systems and
those deployers should opt out of this change by setting the following Ansible
variable:
security_enable_sshd: no
Note
Setting security_enable_sshd
to no
causes the tasks to ignore the
state of the service entirely. A setting of no
does not stop or alter
the sshd
service.
V-72237¶
Summary: All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The ClientAliveInterval
configuration is set to 600
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can adjust the length of the interval by changing the following Ansible variable:
security_sshd_client_alive_interval: 600
Note
The STIG requires that ClientAliveInterval
is set to 600 and
ClientAliveCountMax
is set to zero, which sets a 10 minute session
timeout. If no data is transferred in a 10 minute period, the session is
disconnected.
The ClientAliveInterval
specifies how long the ssh daemon waits
before it sends a message to the client to see if it is still alive. The
ClientAliveCountMax
specifies how many of these messages are sent
without receiving a response.
Deployers should refer to All network connections associated with SSH traffic must terminate after a period of inactivity. (V-72241) to customize the
ClientAliveCountMax
setting.
V-72239¶
Summary: The SSH daemon must not allow authentication using RSA rhosts authentication.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
This STIG is already applied by the changes for The SSH daemon must not allow authentication using known hosts authentication. (V-72249).
V-72241¶
Summary: All network connections associated with SSH traffic must terminate after a period of inactivity.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The ClientAliveCountMax
configuration is set to 0
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can adjust the maximum amount of client alive intervals by changing the following Ansible variable.
security_sshd_client_alive_count_max: 0
Note
The STIG requires that ClientAliveInterval
is set to 600 and
ClientAliveCountMax
is set to zero, which sets a 10 minute session
timeout. If no data is transferred in a 10 minute period, the session is
disconnected.
The ClientAliveInterval
specifies how long the ssh daemon waits
before it sends a message to the client to see if it is still alive. The
ClientAliveCountMax
specifies how many of these messages are sent
without receiving a response.
Deployers should refer to All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. (V-72237) to customize the
ClientAliveInterval
setting.
V-72243¶
Summary: The SSH daemon must not allow authentication using rhosts authentication.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The IgnoreRhosts
configuration is set to yes
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_disallow_rhosts_auth: no
V-72245¶
Summary: The system must display the date and time of the last successful account logon upon an SSH logon.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The PrintLastLog
configuration is set to yes
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_print_last_log: no
V-72247¶
Summary: The system must not permit direct logons to the root account using remote access via SSH.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The PermitRootLogin
configuration is set to no
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can select another setting for PermitRootLogin, from the available
options without-password
, prohibit-password
, forced-commands-only
,
yes
, or no
by setting the following variable:
security_sshd_permit_root_login: no
Warning
Ensure that a regular user account exists with a pathway to root access
(preferably via sudo
) before applying the security role. This
configuration change disallows any direct logins with the root
user.
V-72249¶
Summary: The SSH daemon must not allow authentication using known hosts authentication.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The IgnoreUserKnownHosts
configuration is set to yes
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_disallow_known_hosts_auth: no
V-72251¶
Summary: The SSH daemon must be configured to only use the SSHv2 protocol.
Severity: High
Implementation Status: Implemented
Deployer/Auditor notes¶
The Protocol
configuration is set to 2
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_protocol: 2
Warning
There is no reason to enable any other protocol than SSHv2. SSHv1 has multiple vulnerabilities, and it is no longer widely used.
V-72253¶
Summary: The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The MACs
configuration is set to hmac-sha2-256,hmac-sha2-512
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can adjust the allowed Message Authentication Codes (MACs) by setting the following Ansible variable:
security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512'
V-72255¶
Summary: The SSH public host key files must have mode 0644 or less permissive.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The permissions on ssh public host keys is set to 0644
. If the existing
permissions are more restrictive than 0644
, the tasks do not make changes
to the files.
V-72257¶
Summary: The SSH private host key files must have mode 0600 or less permissive.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The permissions on ssh private host keys is set to 0600
. If the existing
permissions are more restrictive than 0600
, the tasks do not make changes
to the files.
V-72259¶
Summary: The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The GSSAPIAuthentication
setting is set to no
to meet the requirements
of the STIG.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_disallow_gssapi: no
V-72261¶
Summary: The SSH daemon must not permit Kerberos authentication unless needed.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The KerberosAuthentication
configuration is set to no
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_disable_kerberos_auth: no
V-72263¶
Summary: The SSH daemon must perform strict mode checking of home directory configuration files.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The StrictModes
configuration is set to yes
in /etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_enable_strict_modes: no
V-72265¶
Summary: The SSH daemon must use privilege separation.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The UsePrivilegeSeparation
configuration is set to sandbox
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_enable_privilege_separation: no
Note
Although the STIG requires this setting to be yes
, the sandbox
setting actually provides more security because it enables privilege
separation during the early authentication process.
V-72267¶
Summary: The SSH daemon must not allow compression or must only allow compression after successful authentication.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The Compression
configuration is set to delayed
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can choose another option by setting the following Ansible variable:
security_sshd_compression: 'no'
Note
The following are the available settings for Compression
in the ssh
configuration file:
delayed
: Compression is enabled after authentication.no
: Compression is disabled.yes
: Compression is enabled during authentication and during the session (not allowed by the STIG).
The delayed
option balances security with performance and is an
approved option in the STIG.
V-72289¶
Summary: The system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
This control is implemented by the tasks for another control:
V-72303¶
Summary: Remote X connections for interactive users must be encrypted.
Severity: High
Implementation Status: Implemented
Deployer/Auditor notes¶
The X11Forwarding
configuration is set to yes
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_enable_x11_forwarding: no