3.7.2.9 /etc/ssh/sshd_config

Information

The /etc/ssh/sshd_config file defines SSH server behavior.

Rationale:

The SSH daemon reads the configuration information from this file and includes the authentication mode and cryptographic levels to use during SSH communication.

Impact:

Some organizations feel all configuration information for OpenSSH server must be confidential - and many other benchmarks recommend exclusive root access to the file /etc/ssh/sshd_config. This configuration will work UNLESS sftp access is required by non-root users.

Non-root users (when mode is octal 0600) cannot load_server_config and the connection closes even though authentication succeeded.

Jun 25 14:42:45 x071 auth|security:info sshd[12255378]: Accepted password for michael from 192.168.129.65 port 32810 ssh2

Jun 25 14:42:45 x071 auth|security:info sftp-server[7077962]: session opened for local user michael from [192.168.129.65]

Jun 25 14:42:45 x071 auth|security:debug sftp-server[7077962]: debug2: load_server_config: filename /etc/ssh/sshd_config

Jun 25 14:42:45 x071 auth|security:info sshd[8847468]: Received disconnect from 192.168.129.65 port 32810:11: disconnected by user

Jun 25 14:42:45 x071 auth|security:info sshd[8847468]: Disconnected from user michael 192.168.129.65 port 32810

This is what is needed for the sftp-server to start:

Jun 25 14:45:10 x071 auth|security:info sshd[7077994]: Accepted password for michael from 192.168.129.65 port 32812 ssh2

Jun 25 14:45:10 x071 auth|security:info sftp-server[11272308]: session opened for local user michael from [192.168.129.65]

Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug2: load_server_config: filename /etc/ssh/sshd_config

Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug2: load_server_config: done config len = 288

Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug2: parse_server_config: config /etc/ssh/sshd_config len 288

Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:34 setting SyslogFacility AUTH

Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:36 setting LogLevel INFO

Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:114 setting Banner /etc/banner

Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:117 setting Subsystem sftpt/usr/sbin/sftp-server -l DEBUG3 -f AUTH

Jun 25 14:45:10 x071 auth|security:info sftp-server[11272308]: received client version 3

Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: request 0: realpath

Jun 25 14:45:10 x071 auth|security:info sftp-server[11272308]: realpath '.'

Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug1: request 0: sent names count 1

The recommendation is to stay with the default file mode (octal 0644) unless site policy requires octal 0600 AND it is acceptable that sftp will not function.

Choosing octal 0600 is considered a Level 2 recommendation

Solution

Change the permissions of the /etc/ssh/sshd_config file to ensure all accounts can read the file but only the owner (root) can modify it:

chmod u=rw,go=r /etc/ssh/sshd_config

Default Value:

644

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 79854d2c901b80e9241e5679ab55c2c76644782519ad17c9a7bf83ab240b2209