SSH server uses strong entropy to seed
An XCCDF Rule
Description
To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd
file.
The SSH_USE_STRONG_RNG
configuration value determines how many bytes of entropy to use, so
make sure that the file contains line
SSH_USE_STRONG_RNG=32
warning alert: Warning
This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available.
Rationale
SSH implementation in Red Hat Enterprise Linux 9 uses the openssl library, which doesn't use high-entropy sources by default. Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors in encryption algorithms, and high-quality entropy elliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers.
- ID
- xccdf_org.ssgproject.content_rule_sshd_use_strong_rng
- Severity
- Low
- Updated
Remediation - Ansible
- name: Setting unquoted shell-style assignment of 'SSH_USE_STRONG_RNG' to '32' in
'/etc/sysconfig/sshd'
block:
- name: Check for duplicate values
lineinfile:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ -e "/etc/sysconfig/sshd" ] ; then
LC_ALL=C sed -i "/^\s*SSH_USE_STRONG_RNG\s*=\s*/d" "/etc/sysconfig/sshd"