Detections
Analytics

4.2.2 Ensure access to SSH key files is configured

Information

Two files are used in SSH public key authentication. In this authentication method:

 - The possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed.
 - A public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authenticate successfully.

If a public host key file is modified by an unauthorized user, the SSH service may be compromised. If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

Solution

Run the following script to set mode, ownership, and group on the SSH key files:

#!/usr/bin/env bash

{
 l_output="" l_output2="" l_count="0"
 if command -v ssh-keygen &>/dev/null; then
 if [ -d /etc/ssh ]; then
 l_ssh_key_group_name="$(grep -Po -- '^(ssh_keys|_?ssh)b' /etc/group)" # Group designated to own openSSH keys
 f_key_fix()
 {
 while IFS=: read -r l_mode l_owner l_group; do
 if [ "$l_key_type" = "public" ]; then
 l_pmask="0133" && l_mode_fix="u-x,go-wx"
 l_auth_group="root" && l_group_fix="root"
 else
 if [ "$l_ssh_key_group_name" = "$l_group" ]; then
 l_pmask="0137" && l_mode_fix="u-x,g-wx,o-rwx"
 else
 l_pmask="0177" && l_mode_fix="u-x,go-rwx"
 fi
 if [ -n "$l_ssh_key_group_name" ]; then
 l_auth_group="(root|$l_ssh_key_group_name)" && l_group_fix="$l_ssh_key_group_name"
 else
 l_auth_group="root" && l_group_fix="root"
 fi
 fi
 if [ "$l_owner" != "root" ]; then
 echo -e "
 - $l_key_type key file: \"$l_file\" - Owned by: \"$l_owner\" changing owner to: \"root\""
 chown root "$l_file"
 fi
 if [[ ! "$l_group" =~ $l_auth_group ]]; then
 echo -e "
 - $l_key_type key file: \"$l_file\"
 - Owned by group \"$l_group\" changing group owner to: \"$l_group_fix\""
 chgrp "$l_group_fix" "$l_file"
 fi
 l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )"
 if [ $(( $l_mode & $l_pmask )) -gt 0 ]; then
 echo -e "
 - $l_key_type key file: \"$l_file\"
 - Mode: \"$l_mode\" removing excessive permissions"
 chmod "$l_mode_fix" "$l_file"
 fi
 done < <(stat -Lc '%#a:%U:%G' "$l_file")
 }
 while IFS= read -r -d $'0' l_file; do # Loop to populate array
 if ssh-keygen -l -f "$l_file" &amp;>/dev/null; then
 (( l_count++ ))
 if grep -Pq -- '.pub$' <<< "$l_file"; then
 l_key_type="public"
 else
 l_key_type="private"
 fi
 f_key_fix
 fi
 done < <(find /etc/ssh -xdev -type f -print0)
 [ "$l_count" = "0" ] &amp;&amp; echo " - No ssh keys found in \"/etc/ssh\""
 else
 echo " - ssh directory: \"/etc/ssh\" not found on the system"
 fi
 else
 echo -e " - ssh-keygen command not found
 - manual remediation may be required"
 fi
}

Impact:

Incorrectly configured access to the SSH key files may prevent the ssh daemon from starting, preventing remote access to the system.

See Also

https://workbench.cisecurity.org/benchmarks/15023

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: ff6868cdfdd58719d7317c40965b5e67d372d34f6502839406abfc874bae1c1c