Verify Ownership on SSH Server Private *_key Key Files
An XCCDF Rule
Description
SSH server private keys, files that match the /etc/ssh/*_key
glob, must be owned
by root
user.
Rationale
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
- ID
- xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
- Severity
- Medium
- Updated
Remediation - Ansible
- name: Find /etc/ssh/ file(s) matching ^.*_key$
command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex "^.*_key$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex '^.*_key$' -exec chown 0 {} \;
else