Skip to content

Allow Only SSH Protocol 2

An XCCDF Rule

Description

Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears:

Protocol 2

warning alert: Warning

As of openssh-server version 7.4 and above, the only protocol supported is version 2, and line
Protocol 2
in /etc/ssh/sshd_config is not necessary.

Rationale

SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.

ID
xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
Severity
High
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^Protocol")

Remediation - Ansible

- name: Find sshd_config included files
  shell: |-
    included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
    [[ -n $included_files ]] && ls $included_files || true
  register: sshd_config_included_files
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]