Skip to content

Enable Use of Strict Mode Checking

An XCCDF Rule

Description

SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate configuration is used if no value is set for StrictModes.
To explicitly enable StrictModes in SSH, add or correct the following line in /etc/ssh/sshd_config:

StrictModes yes

Rationale

If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.

ID
xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config"

Remediation - Ansible

- name: Enable Use of Strict Mode Checking
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config