UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The SSH daemon must use privilege separation.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22486 GEN005537 SV-35139r1_rule ECLP-1 Medium
Description
SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.
STIG Date
HP-UX 11.23 Security Technical Implementation Guide 2015-06-12

Details

Check Text ( C-34999r1_chk )
Check the SSH daemon configuration. Note that keywords are case-insensitive and arguments (args) are case-sensitive.

keyword=UsePrivilegeSeparation
arg(s)=yes

Default values include: "yes"

Note: When the default "arg" value exactly matches the required "arg" value (see above), the entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior.

Examine the file.
# cat /opt/ssh/etc/sshd_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | grep -i "UsePrivilegeSeparation"

If the return value is no, this is a finding.
Fix Text (F-30291r1_fix)
Edit the SSH daemon configuration and add or edit the UsePrivilegeSeparation setting value to yes.