Allow Only SSH Protocol 2

An XCCDF Rule

Description

Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears:

Protocol 2

warning alert: Warning

As of openssh-server version 7.4 and above, the only protocol supported is version 2, and line

Protocol 2

in /etc/ssh/sshd_config is not necessary.

Rationale

SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.

ID: xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
Severity: High
References: NT007(R1)

1 12 15 16 5 8

5.5.6

APO13.01 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10

3.1.13 3.5.4

CCI-000197 CCI-000366

164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii)

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4

SR 1.1 SR 1.10 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6

0487 1449 1506

A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3

CIP-003-8 R4.2 CIP-007-3 R5.1 CIP-007-3 R7.1

AC-17(2) AC-17(a) CM-6(a) IA-5(1)(c) MA-4(6) SC-13

PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 PR.PT-4

SRG-OS-000074-GPOS-00042 SRG-OS-000480-GPOS-00227
Updated: about 1 year ago

- name: Allow Only SSH Protocol 2
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config      create: true
      regexp: (?i)^\s*Protocol\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*Protocol\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*Protocol\s+
      line: Protocol 2
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.5.6
  - NIST-800-171-3.1.13
  - NIST-800-171-3.5.4
  - NIST-800-53-AC-17(2)
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(c)
  - NIST-800-53-MA-4(6)
  - NIST-800-53-SC-13
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - restrict_strategy
  - sshd_allow_only_protocol2

Allow Only SSH Protocol 2

Description

Rationale

Remediation - Ansible