ESXI-80-000209 The ESXi host Secure Shell (SSH) daemon must not permit tunnels.

Information

OpenSSH has the ability to create network tunnels (layer 2 and layer 3) over an SSH connection. This function can provide similar convenience to a virtual private network (VPN) with the similar risk of providing a path to circumvent firewalls and network Access Control Lists (ACLs).

Solution

From an ESXi shell, run the following command:

# esxcli system ssh server config set -k permittunnel -v no

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'permittunnel'
$arguments.value = 'no'
$esxcli.system.ssh.server.config.set.Invoke($arguments)

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y24M08_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-258764r959010_rule, STIG-ID|ESXI-80-000209, Vuln-ID|V-258764

Plugin: Unix

Control ID: b5a0e0fb1bd40aa70d19e94ac3b2809a0cfe5e68e2607a2299353b73129f90f2