UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

RHEL 8 must enforce SSHv2 for network access to all accounts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-230501 RHEL-08-040060 SV-230501r599732_rule High
Description
A replay attack may enable an unauthorized user to gain access to RHEL 8. Authentication sessions between the authenticator and RHEL 8 validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A privileged account is any information system account with authorizations of a privileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. RHEL 8 incorporates OpenSSH as a default ssh provider. OpenSSH has been a 100 percent SSHv2 implementation since version 7.6 in late 2017 and dropped support of SSH protocol version 1. Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058
STIG Date
Red Hat Enterprise Linux 8 Security Technical Implementation Guide 2020-11-25

Details

Check Text ( C-33170r568249_chk )
Verify that RHEL 8 enforces SSH protocol 2 for network access.

Check the SSH version that RHEL 8 is using with the following command:

$ sudo yum list installed openssh

openssh.x86_64 8.0p1-3.el8

If the version of OpenSSH is newer than 7.6 the system is utilizing SSHv2 and is compliant.

If the version of OpenSSH is older than 7.6 or is a different SSH package, check the protocol versions that SSH allows with the following command:

$ sudo grep -i protocol /etc/ssh/sshd_config

Protocol 2

If the returned line allows for use of protocol "1", is commented out, or the line is missing, this is a finding.
Fix Text (F-33145r568250_fix)
Configure RHEL 8 to enforce SSHv2 for network access to all accounts via OpenSSH or by updating the SSH configuration to enforce SSHv2.

Install OpenSSH with the following command:

$ sudo yum -y install openssh.x86_64

or

Add or update the following line in the "/etc/ssh/sshd_config" file:

Protocol 2

Restart the ssh service.

$ sudo systemctl restart sshd.service