Information
If remote logon through SSH is enabled, password-based authentication must be disabled for user logon.
All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Satisfies: SRG-OS-000067-GPOS-00035,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057,SRG-OS-000125-GPOS-00065,SRG-OS-000375-GPOS-00160
Solution
Configure the macOS system to disable password authentication for SSH with the following command:
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk '1s/.*/Include /etc/ssh/sshd_config.d/*/' /etc/ssh/sshd_config
fi
echo 'passwordauthentication no' >> '${include_dir}01-mscp-sshd.conf'
echo 'kbdinteractiveauthentication no' >> '${include_dir}01-mscp-sshd.conf'
for file in $(ls ${include_dir}); do
if [[ '$file' == '100-macos.conf' ]]; then
continue
fi
if [[ '$file' == '01-mscp-sshd.conf' ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
Item Details
Category: IDENTIFICATION AND AUTHENTICATION, MAINTENANCE
References: 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(8), 800-53|IA-5(2)(b), 800-53|MA-4c., CAT|I, CCI|CCI-000186, CCI|CCI-000765, CCI|CCI-000766, CCI|CCI-000877, CCI|CCI-001941, CCI|CCI-004046, Rule-ID|SV-259477r986250_rule, STIG-ID|APPL-14-001150, Vuln-ID|V-259477
Control ID: 6aa310d5957ca6cc99d342786e27479540cd52eed8919e4a68c44a795830f022