OpenSSH Service Must Use Passcode for Their Private Keys

Description

Verify the SSH private key files have a passcode. For each private key stored on the system, use the following command:

$ sudo ssh-keygen -y -f /path/to/file

If the contents of the key are displayed, without asking a passphrase this is a finding.

Rationale

If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed.

ID: xccdf_org.ssgproject.content_rule_ssh_private_keys_have_passcode
Severity: Medium
References: CCI-000186

IA-5(2) IA-5(2).1

SRG-OS-000067-GPOS-00035

OL08-00-010100

SV-248532r779162_rule
Updated: about 1 year ago