Verify Permissions on SSH Server Private *_key Key Files

An XCCDF Rule

Description

SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions. If those files are owned by the root user and the root group, they have to have the 0640 permission or stricter. If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter.

Rationale

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

ID: xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
Severity: Medium
References: BP28(R36)

12 13 14 15 16 18 3 5

APO01.06 DSS05.04 DSS05.07 DSS06.02

3.1.13 3.13.10

CCI-000366

4.3.3.7.3

SR 2.1 SR 5.2

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

CIP-003-8 R5.1.1 CIP-003-8 R5.3 CIP-004-6 R2.3 CIP-007-3 R2.1 CIP-007-3 R2.2 CIP-007-3 R2.3 CIP-007-3 R5.1 CIP-007-3 R5.1.1 CIP-007-3 R5.1.2

AC-17(a) AC-6(1) CM-6(a)

PR.AC-4 PR.DS-5

Req-2.2.4

2.2.6

SRG-OS-000480-GPOS-00227
Updated: about 1 year ago