Skip to content

Verify Group Ownership on SSH Server Private *_key Key Files

An XCCDF Rule

Description

SSH server private keys, files that match the /etc/ssh/*_key glob, must be group-owned by ssh_keys group.

Rationale

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

ID
xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

find /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regex '^.*_key$' -exec chgrp ssh_keys {} \;

else

Remediation - Ansible

- name: Find /etc/ssh/ file(s) matching ^.*_key$
  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regex "^.*_key$"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false