4.2 Ensure valid public keys are installed

Information

Valid SSH public/private key pairs should be installed.
Rationale:
The most secure mechanism for management is to log in locally into the UNIX account that controls and maintains the server's environment with an SSH key and use the Command Line Interface (CLI) psql. SSH keys have other advantages too; it is simple to add and remove user authorization, it eliminates the redundant typing of passwords, and it enables administrating large number of servers from a centralized host using simple CLI scripts.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

For demonstration purposes, the following example highlights the various issues one must consider and is just one of many methods that can be used to install and use a public SSH key. It is recommended that a configuration management tool, such as Puppet, be used as part of a larger, and automated, provisioning process where there are many DBAs authorized to administrate multiple servers.
After creating your SSH public/private key pair, login as root on the PostgreSQL server and assign a temporary password to the postgres user account.
Copy the SSH public key from your key pair to the PostgreSQL server. This step will prompt you for the temporary password you set above:
ssh -copy -id -i $HOME/.ssh/id_rsa.pub postgres@<remote host>
Now that your SSH public key is in place, test that you can SSH to the PostgreSQL server without being prompted for a password:
ssh postgres@<remote host>
Upon successful login without being prompted for a password, one can now lock the postgres account to prevent future logins via password:
passwd -l postgres
New public keys can be added by editing the postgres account's authorization file directly:
ssh postgres@<remote host>
vim $HOME/.ssh/authorized_keys
Alternatively, another implementation would be to add the public key to one's own personal account on the remote host and then sudo into postgres. Added security is implied because you would need to supply your account password:
ssh -copy -id -i $HOME/.ssh/id_rsa.pub <remote host>
ssh <remote host>
sudo su - postgres

See Also

https://workbench.cisecurity.org/files/2234

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv6|3.4, CSCv7|4.5

Plugin: Unix

Control ID: 069fbb7bef2c5aeb17e14d196abe191c7e5b20447b863afa2a3c9553141588f9