4.7.3.1 Ensure latest version of openssh is installed

Information

OpenSSH is the expected program for remote command line access. It provides encrypted protocols such as SSH and SCP/SFTP.

The recommended mechanism for remote access is to use encrypted protocols such as OpenSSH that are designed to prevent the interception of communications. OpenSSH is the standard replacement for clear-text protocols, such as Telnet and FTP.

Clear-text protocols can be snooped and expose credentials and/or sensitive data to unauthorized parties. Additionally, servers that are configured with unique PKI keys can circumvent host impersonation and assure remote hosts/users that they are communicating with the intended device.

Solution

Install OpenSSH version 9.2 (or later), depending on package source.

The current version available from IBM via

AIX Web Download Pack Programs

is 9.2.112.2400

Impact:

OpenBSD maintains the OpenSSH project regularly updates OpenSSH. The Major/Minor numbers OpenBSD publishes may be higher than the Major/Minor numbers an OS platform uses - due to differences in how they manage packages.

The current OpenBSD release is: OpenSSH 9.8 released July 01, 2024. IBM's policy is to stay at a constant level (currently 9.2) and maintain a more stable set of configuration keywords or feature set. OpenBSD,

never

patches a release. Instead, OpenBSD releases a new version with the latest security fixes and/or feature changes. This means IBM does not automatically push OpenSSH feature changes - but does look at new OpenBSD releases and incorporates security fixes, if any.

The current OpenSSH version maintained by IBM is OpenSSH 9.2. The openssh fileset VRMF number should start with 9.2

See Also

https://workbench.cisecurity.org/benchmarks/10385

Item Details

Category: CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|CM-7, 800-53|MA-4, CSCv7|9.2

Plugin: Unix

Control ID: 64802daca9f80fad02d9b0c2953494900b3cbd60348a4bae72d4127e3658be32