RHEL 9 SSH daemon must disable remote X connections for interactive users.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258007	RHEL-09-255155	SV-258007r991589_rule		Medium

Description
When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.

STIG	Date
Red Hat Enterprise Linux 9 Security Technical Implementation Guide	2024-06-04

Details

Check Text ( C-61748r952209_chk )
Verify the SSH daemon does not allow X11Forwarding with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 \| awk '/filename/ {print $4}' \| tr -d '\r' \| tr '\n' ' ' \| xargs sudo grep -iH '^\s*x11forwarding' X11forwarding no If the value is returned as "yes", the returned line is commented out, or no output is returned, and X11 forwarding is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Check Text ( C-61748r952209_chk )

Verify the SSH daemon does not allow X11Forwarding with the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*x11forwarding'

X11forwarding no

If the value is returned as "yes", the returned line is commented out, or no output is returned, and X11 forwarding is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix Text (F-61672r943047_fix)
Configure the SSH daemon to not allow X11 forwarding. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no": X11forwarding no The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service