Enable Public Key Authentication
An XCCDF Rule
Description
Enable SSH login with public keys.
The default SSH configuration enables authentication based on public keys. The appropriate
configuration is used if no value is set for PubkeyAuthentication
.
To explicitly enable Public Key Authentication, add or correct the following
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
:
PubkeyAuthentication yes
Rationale
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DoD CAC with DoD-approved PKI is an example of multifactor authentication.
- ID
- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Enable Public Key Authentication
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf