5.1.3 Ensure permissions on SSH public host key files are configured

Information

An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authenticate successfully.

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

Solution

Run the following script to set mode, ownership, and group on the public SSH host key files:

#!/usr/bin/env bash

{
a_output=(); a_output2=()
l_pmask="0133"; l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )"
f_file_access_fix()
{
while IFS=: read -r l_file_mode l_file_owner l_file_group; do
a_out2=()
[ $(( $l_file_mode & $l_pmask )) -gt 0 ] &&
a_out2+=(" Mode: \"$l_file_mode\" should be mode: \"$l_maxperm\" or more restrictive"
" updating to mode: \"$l_maxperm\"") && chmod u-x,go-wx "$l_file"
[ "$l_file_owner" != "root" ] &&
a_out2+=(" Owned by: \"$l_file_owner\" should be owned by \"root\""
" Changing ownership to \"root\"") && chown root "$l_file"
[ "$l_file_group" != "root" ] &&
a_out2+=(" Owned by group \"$l_file_group\" should be group owned by: \"root\""
" Changing group ownership to \"root\"") && chgrp root "$l_file"
if [ "${#a_out2[@]}" -gt "0" ]; then
a_output2+=(" - File: \"$l_file\"" "${a_out2[@]}")
else
a_output+=(" - File: \"$l_file\""
" Correct: mode: \"$l_file_mode\", owner: \"$l_file_owner\", and group owner: \"$l_file_group\" configured")
fi
done < <(stat -Lc '%#a:%U:%G' "$l_file")
}
while IFS= read -r -d $'0' l_file; do
if ssh-keygen -lf &amp;>/dev/null "$l_file"; then
file "$l_file" | grep -Piq -- 'bopensshh+([^#
r]+h+)?publich+keyb' &amp;&amp; f_file_access_fix
fi
done < <(find -L /etc/ssh -xdev -type f -print0 2>/dev/null)
if [ "${#a_output2[@]}" -le "0" ]; then
printf '%s
' "" " - No access changes required" ""
else
printf '%s
' " - Remediation results:" "${a_output2[@]}" ""
fi
}

See Also

https://workbench.cisecurity.org/benchmarks/18959

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: ebc464b2a052f6a3d91c9fd00b1520e3039f3f93c28710283a7af320587f3616