SSH client uses strong entropy to seed (Bash-like shells)
An XCCDF Rule
Description
To set up SSH client to use entropy from a high-quality source, make sure
that the appropriate shell environment variable is configured. The
SSH_USE_STRONG_RNG environment variable determines how many bytes
of entropy to use. Make sure that the file
/etc/profile.d/cc-ssh-strong-rng.sh contains line
export SSH_USE_STRONG_RNG=32.
Rationale
Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources. Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors in encryption algorithms, and high-quality entropy eliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers.
- ID
- xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_sh
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# put line into the file
echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
Remediation - Ansible
- name: Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh
lineinfile:
path: /etc/profile.d/cc-ssh-strong-rng.sh
regexp: ^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$
line: export SSH_USE_STRONG_RNG=32
state: present