GEN005501-ESXI5-9778 - The SSH client must be configured to only use the SSHv2 protocol.

Information

SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH client could provide access to the system with the privileges of the user running the client.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Disable lock down mode.
Enable the ESXi Shell.

Edit the SSH client configuration and add/modify the 'Protocol' configuration for Protocol 2 only.
# vi /etc/ssh/ssh_config

Re-enable lock down mode.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_Server_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Group-ID|V-39414, Rule-ID|SV-250590r798769_rule, STIG-ID|GEN005501-ESXI5-9778, STIG-Legacy|SV-51272, STIG-Legacy|V-39414, Vuln-ID|V-250590

Plugin: VMware

Control ID: 9f3df5b2b0530bef69a526177d36cfc4f8033ab30e044d65e6b3afeeda2c086e