5.3.29 Ensure SSH Protocol is set to 2

Information

The Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.

Rationale:

SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.

Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227

Solution

Remove all Protocol lines that reference version '1' in '/etc/ssh/sshd_config' (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The 'Protocol' line must be as follows:

Protocol 2

The SSH service must be restarted for changes to take effect

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-6b., 800-53|IA-5(1)(c), CCI|CCI-000197, CCI|CCI-000366, CSCv7|4.5, CSCv7|14.4, Rule-ID|SV-204594r603261_rule, STIG-ID|RHEL-07-040390

Plugin: Unix

Control ID: 84bd6a2535a1f8e43c68b1a5d73b37560325326067a69f7799a571e29e6101a9