Skip to content

SSH server uses strong entropy to seed

An XCCDF Rule

Description

To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file. The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so make sure that the file contains line

SSH_USE_STRONG_RNG=32

warning alert: Warning

This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available.

Rationale

SSH implementation in Oracle Linux 8 uses the openssl library, which doesn't use high-entropy sources by default. Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors in encryption algorithms, and high-quality entropy elliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers.

ID
xccdf_org.ssgproject.content_rule_sshd_use_strong_rng
Severity
Low
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/sysconfig/sshd" ] ; then
    
    LC_ALL=C sed -i "/^\s*SSH_USE_STRONG_RNG\s*=\s*/d" "/etc/sysconfig/sshd"

Remediation - Ansible

- name: Setting unquoted shell-style assignment of 'SSH_USE_STRONG_RNG' to '32' in
    '/etc/sysconfig/sshd'
  block:

  - name: Check for duplicate values
    lineinfile: