Allow Only SSH Protocol 2
An XCCDF Rule
Description
Only SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config
is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2
warning alert: Warning
As of
openssh-server
version 7.4
and above, the only protocol
supported is version 2, and line Protocol 2in
/etc/ssh/sshd_config
is not necessary.Rationale
SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
- ID
- xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
- Severity
- High
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^Protocol")
Remediation - Ansible
- name: Find sshd_config included files
shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]