Harden SSH client Crypto Policy
An XCCDF Rule
Description
Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client.
To override the system wide crypto policy for Openssh client, place a file in the /etc/ssh/ssh_config.d/ so that it is loaded before the 05-redhat.conf. In this case it is file named 02-ospp.conf containing parameters which need to be changed with respect to the crypto policy.
This rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy.
During the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.
Rationale
The Common Criteria requirements specify how certain parameters for OpenSSH Client are configured. Particular parameters are RekeyLimit, GSSAPIAuthentication, Ciphers, PubkeyAcceptedKeyTypes, MACs and KexAlgorithms. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
- ID
- xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
#the file starts with 02 so that it is loaded before the 05-redhat.conf which activates configuration provided by system vide crypto policy
file="/etc/ssh/ssh_config.d/02-ospp.conf"
echo -e "Match final all\n\
RekeyLimit 512M 1h\n\
GSSAPIAuthentication no\n\