4.2.2 Ensure permissions on SSH private host key files are configured

Information

An SSH private key is one of two files used in SSH public key authentication. In this authentication method, the possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed.

If an unauthorized user obtains the private SSH host key file, the host could be impersonated

Solution

Run the following script to set mode, ownership, and group on the private SSH host key files:

#!/usr/bin/env bash

{
l_output="" l_output2=""
l_skgn="$(grep -Po -- '^(ssh_keys|_?ssh)b' /etc/group)" # Group designated to own openSSH keys
l_skgid="$(awk -F: '($1 == "'"$l_skgn"'"){print $3}' /etc/group)" # Get gid of group
if [ -n "$l_skgid" ]; then
l_agroup="(root|$l_skgn)" && l_sgroup="$l_skgn" && l_mfix="u-x,g-wx,o-rwx"
else
l_agroup="root" && l_sgroup="root" && l_mfix="u-x,go-rwx"
fi
if command -v ssh-keygen &>/dev/null; then
unset a_skarr && a_skarr=() # Clear and initialize array
if [ -d /etc/ssh ]; then
while IFS= read -r -d $'0' l_file; do # Loop to populate array
l_var="$(ssh-keygen -l -f 2>/dev/null "$l_file")"
if [ -n "$l_var" ] && ! grep -Pq -- 'h+noh+commentb' <<< "$l_var"; then
a_skarr+=("$(stat -Lc '%n^%#a^%U^%G^%g' "$l_file")")
fi
done < <(find -L /etc/ssh -xdev -type f -print0)
if (( ${#a_skarr[@]} > 0 )); then
while IFS="^" read -r l_file l_mode l_owner l_group l_gid; do
l_out2=""
[ "$l_gid" = "$l_skgid" ] && l_pmask="0137" || l_pmask="0177"
l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )"
if [ $(( $l_mode & $l_pmask )) -gt 0 ]; then
l_out2="$l_out2
- Mode: \"$l_mode\" should be mode: \"$l_maxperm\" or more restrictive
- Revoking excess permissions"
chmod "$l_mfix" "$l_file"
fi
if [ "$l_owner" != "root" ]; then
l_out2="$l_out2
- Owned by: \"$l_owner\" should be owned by \"root\"
- Changing ownership to \"root\""
chown root "$l_file"
fi
if [[ ! "$l_group" =~ $l_agroup ]]; then
l_out2="$l_out2
- Owned by group \"$l_group\" should be group owned by: \"${l_agroup//|/ or }\"
- Changing group ownership to \"$l_sgroup\""
chgrp "$l_sgroup" "$l_file"
fi
[ -n "$l_out2" ] && l_output2="$l_output2
- File: \"$l_file\"$l_out2"
done <<< "$(printf '%s
' "${a_skarr[@]}")"
else
l_output=" - No private keys found in \"/etc/ssh\""
fi
else
l_output="- ssh directory not found on the system"
fi
unset a_skarr
else
l_output2=" - ssh-keygen command not found
- manual remediation may be required"
fi
if [ -z "$l_output2" ]; then
echo -e "
- No access changes required
"
else
echo -e "
- Remediation results:
$l_output2
"
fi
}

See Also

https://workbench.cisecurity.org/benchmarks/15963

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 25ca9cdd363c51bbcd41a977bc6e377f27369bf7548d4cdfcfa106f28405a2fa