UCF STIG Viewer Logo

The SSH daemon must be configured to only use the SSHv2 protocol.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4295 GEN005500 SV-63543r1_rule High
Description
SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
STIG Date
Oracle Linux 5 Security Technical Implementation Guide 2020-02-25

Details

Check Text ( C-52213r1_chk )
Locate the sshd_config file:
# more /etc/ssh/sshd_config

Examine the file. If the variables 'Protocol 2,1' or 'Protocol 1' are defined on a line without a leading comment, this is a finding.

If the SSH server is F-Secure, the variable name for SSH 1 compatibility is 'Ssh1Compatibility', not 'protocol'. If the variable 'Ssh1Compatiblity' is set to 'yes', then this is a finding.
Fix Text (F-54157r2_fix)
Edit the sshd_config file and set the "Protocol" setting to "2".

If using the F-Secure SSH server, set the "Ssh1Compatibility" setting to "no".

Restart the SSH daemon.
# /sbin/service sshd restart