Disable PubkeyAuthentication Authentication

An XCCDF Rule

Description

Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms. To disable PubkeyAuthentication authentication, add or correct the following line in /etc/ssh/sshd_config:

PubkeyAuthentication no

Rationale

PubkeyAuthentication authentication is used to provide additional authentication mechanisms to applications. Allowing PubkeyAuthentication authentication through SSH allows users to generate their own authentication tokens, increasing the attack surface of the system.

ID: xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
Severity: Medium
Updated: over 1 year ago

Remediation Templates

- name: Disable PubkeyAuthentication Authentication
  block:
  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true      regexp: (?i)^\s*PubkeyAuthentication\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*PubkeyAuthentication\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*PubkeyAuthentication\s+
      line: PubkeyAuthentication no
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_pubkey_auth

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config"
else    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
printf '%s\n' "PubkeyAuthentication no" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable PubkeyAuthentication Authentication

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script