4.2.3 Ensure permissions on SSH public host key files are configured

Information

An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authenticate successfully.

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

Solution

Run the following script to set mode, ownership, and group on the public SSH host key files:

#!/usr/bin/env bash

{
l_pmask="0133"
l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )"
awk '{print}' <<< "$(find -L /etc/ssh -xdev -type f -exec stat -Lc "%n %#a %U %G" {} +)" | (while read -r l_file l_mode l_owner l_group; do
if file "$l_file" | grep -Pq ':h+OpenSSHh+(H+h+)?publich+keyb'; then
echo -e " - Checking private key file: \"$l_file\""
if [ $(( $l_mode &amp; $l_pmask )) -gt 0 ]; then
echo -e " - File: \"$l_file\" is mode \"$l_mode\" changing to mode: \"$l_maxperm\""
chmod u-x,go-wx "$l_file"
fi
if [ "$l_owner" != "root" ]; then
echo -e " - File: \"$l_file\" is owned by: \"$l_owner\" changing owner to \"root\""
chown root "$l_file"
fi
if [ "$l_group" != "root" ]; then
echo -e " - File: \"$l_file\" is owned by group \"$l_group\" changing to group \"root\""
chgrp "root" "$l_file"
fi
fi
done
)
}

See Also

https://workbench.cisecurity.org/benchmarks/13007

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|5.1

Plugin: Unix

Control ID: eb7ae63df7742dde06c2777852d5819e207d7d7b37a70935f36738b11485b100