Detections
Analytics

4.2.3 Ensure permissions on SSH public host key files are configured

Information

An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authenticate successfully.

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

Solution

Run the following script to set mode, ownership, and group on the public SSH host key files:

#!/usr/bin/env bash

{
 l_output="" l_output2=""
 l_skgn="$(grep -Po -- '^(ssh_keys|_?ssh)b' /etc/group)" # Group designated to own openSSH keys
 l_skgid="$(awk -F: '($1 == "'"$l_skgn"'"){print $3}' /etc/group)" # Get gid of group
 l_mfix="u-x,go-wx"
 if command -v ssh-keygen &>/dev/null; then
 unset a_skarr && a_skarr=() # Clear and initialize array
 if [ -d /etc/ssh ]; then
 while IFS= read -r -d $'0' l_file; do # Loop to populate array
 if grep -Pq -- 'h+noh+commentb' <<< "$(ssh-keygen -l -f 2>/dev/null "$l_file")"; then
 a_skarr+=("$(stat -Lc '%n^%#a^%U^%G^%g' "$l_file")")
 fi
 done < <(find -L /etc/ssh -xdev -type f -print0)
 if (( ${#a_skarr[@]} > 0 )); then
 while IFS="^" read -r l_file l_mode l_owner l_group l_gid; do
 l_out2=""
 l_pmask="0133"
 l_maxperm="$( printf '%o' $(( 0777 &amp; ~$l_pmask )) )"
 if [ $(( $l_mode &amp; $l_pmask )) -gt 0 ]; then
 l_out2="$l_out2
 - Mode: \"$l_mode\" should be mode: \"$l_maxperm\" or more restrictive
 - Revoking excess permissions"
 chmod "$l_mfix" "$l_file"
 fi
 if [ "$l_owner" != "root" ]; then
 l_out2="$l_out2
 - Owned by: \"$l_owner\" should be owned by \"root\"
 - Changing ownership to \"root\""
 chown root "$l_file"
 fi
 if [[ ! "$l_group" =~ $l_agroup ]]; then
 l_out2="$l_out2
 - Owned by group \"$l_group\" should be group owned by: \"${l_agroup//|/ or }\"
 - Changing group ownership to \"$l_sgroup\""
 chgrp "$l_sgroup" "$l_file"
 fi
 [ -n "$l_out2" ] &amp;&amp; l_output2="$l_output2
 - File: \"$l_file\"$l_out2"
 done <<< "$(printf '%s
' "${a_skarr[@]}")"
 else
 l_output=" - No public keys found in \"/etc/ssh\""
 fi
 else
 l_output="- ssh directory not found on the system"
 fi
 unset a_skarr
 else
 l_output2=" - ssh-keygen command not found
 - manual remediation may be required"
 fi
 if [ -z "$l_output2" ]; then
 echo -e "
- No access changes required
"
 else
 echo -e "
- Remediation results:
$l_output2
"
 fi
}

See Also

https://workbench.cisecurity.org/benchmarks/15965

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|5.1

Plugin: Unix

Control ID: 8cccd759aea5a6ecfcd1d4692e6d11e4d1e06bd0882e69b3dd02cacb726c768e