Skip to content

Allow Only SSH Protocol 2

An XCCDF Rule

Description

Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears:

Protocol 2

warning alert: Warning

As of openssh-server version 7.4 and above, the only protocol supported is version 2, and line
Protocol 2
in /etc/ssh/sshd_config is not necessary.

Rationale

SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.

ID
xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
Severity
High
References
Updated



Remediation - Ansible

- name: Allow Only SSH Protocol 2
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^Protocol")