4.2.10 Ensure SSH PermitUserEnvironment is disabled

Information

The PermitUserEnvironment option allows users to present environment options to the ssh daemon.

Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)

Solution

Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the PermitUserEnvironment parameter as follows:

PermitUserEnvironment no

Run the following command to comment out any PermitUserEnvironment parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no

# grep -Pi '^h*PermitUserEnvironmentb' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri "/^s*PermitUserEnvironments+/s/^/# /" "$(awk -F: '{print $1}' <<< $l_out)";done

See Also

https://workbench.cisecurity.org/benchmarks/12705

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: 588d635e9b2f7c29ffc2d7498c0da4e6f5193e54f71a75b5498365254d9f1d1d