Skip to content

Verify Permissions on SSH Server Private *_key Key Files

An XCCDF Rule

Description

SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions. If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter. If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter.

Rationale

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

ID
xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
Severity
Medium
References
Updated



Remediation - Puppet

include ssh_private_key_perms

class ssh_private_key_perms {
  exec { 'sshd_priv_key':
    command => "chmod 0640 /etc/ssh/*_key",
    path    => '/bin:/usr/bin'

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-08-010490
  - NIST-800-171-3.1.13

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

for keyfile in /etc/ssh/*_key; do
    test -f "$keyfile" || continue
    if test root:root = "$(stat -c "%U:%G" "$keyfile")"; then