SSH client uses strong entropy to seed (for CSH like shells)
An XCCDF Rule
Description
To set up SSH client to use entropy from a high-quality source, make sure
that the appropriate shell environment variable is configured. The
SSH_USE_STRONG_RNG environment variable determines how many bytes
of entropy to use. Make sure that the file
/etc/profile.d/cc-ssh-strong-rng.csh contains line
setenv SSH_USE_STRONG_RNG 32.
Rationale
Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources. Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors in encryption algorithms, and high-quality entropy eliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers.
- ID
- xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_csh
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# put line into the file
echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
Remediation - Ansible
- name: Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.csh
lineinfile:
path: /etc/profile.d/cc-ssh-strong-rng.csh
regexp: ^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$
line: setenv SSH_USE_STRONG_RNG 32
state: present