UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

AIX must setup SSH daemon to disable revoked public keys.


Overview

Finding ID Version Rule ID IA Controls Severity
V-91549 AIX7-00-002110 SV-101647r1_rule Medium
Description
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2019-04-29

Details

Check Text ( C-90703r3_chk )
If public keys are not used for SSH authentication, this is Not Applicable.

Run the following command:

# grep "^RevokedKeys" /etc/ssh/sshd_config
RevokedKeys /etc/ssh/RevokedKeys.txt

If the command does not find the "RevokedKeys" setting, or the value for "RevokedKeys" is set to "none", this is a finding.
Fix Text (F-97747r1_fix)
Obtain the file that contains all the public keys that need to be revoked from ISSO/SA and save the file in /etc/ssh/ directory.

Edit the "/etc/ssh/sshd_config" file to allow "RevokedKeys" to point to the revoked key file obtained above.

Restart the SSH daemon:
# stopsrc -s sshd
# startsrc -s sshd