UCF STIG Viewer Logo

The SSH daemon must perform strict mode checking of home directory configuration files.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22485 GEN005536 SV-35137r1_rule ECLP-1 Medium
Description
If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
STIG Date
HP-UX 11.31 Security Technical Implementation Guide 2018-09-14

Details

Check Text ( C-34995r1_chk )
Check the SSH daemon configuration. Note that keywords are case-insensitive and arguments (args) are case-sensitive.

keyword=StrictModes
arg(s)=yes

Default values include: "yes"

Note: When the default "arg" value exactly matches the required "arg" value (see above), the entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior.

Examine the file.
# cat /opt/ssh/etc/sshd_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | grep -i "StrictModes"

If the return value is no, this is a finding.
Fix Text (F-30289r1_fix)
Edit the SSH daemon configuration and add or edit the StrictModes setting value to yes.