Systems using OpenSSH must be configured per site policy to only allow access by approved networks or hosts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-91209	SOL-11.1-030055	SV-101309r1_rule		Medium

Description
If ssh’s configuration file does not contain the appropriate rules for allowing and denying access to the system’s network resources, the system may be accessible to unauthorized hosts.

STIG	Date
Solaris 11 X86 Security Technical Implementation Guide	2019-09-24

Details

Check Text ( C-90363r1_chk )
Determine if OpenSSH is installed: For Solaris 11.3 use: # pkg list network/openssh For Solaris 11.4 and higher use: # pkg list network/ssh If the command output shows version 7 or higher, this check applies. Determine if /etc/ssh/sshd_config is configured to control ssh access. # grep "^Match Address" /etc/ssh/sshd_config If no output is produced, this is a finding. If there is output, review the address list. Ensure it conforms to organizational and mission requirements. If the address list is not configured to organizational standards, this is a finding. For example: Match Address *,!192.0.2.0/16. This blocks everything but the 192.0 network. # tail /etc/ssh/sshd_config At the end of the file, determine if the line following the "Match Address" is "MaxAuthTries 0". If the line is not following "Match Address" is not "MaxAuthTries" or does not have the value of 0 (zero), then this is a finding.

Check Text ( C-90363r1_chk )

Determine if OpenSSH is installed:

For Solaris 11.3 use:
# pkg list network/openssh

For Solaris 11.4 and higher use:
# pkg list network/ssh

If the command output shows version 7 or higher, this check applies. Determine if /etc/ssh/sshd_config is configured to control ssh access.

# grep "^Match Address" /etc/ssh/sshd_config

If no output is produced, this is a finding.

If there is output, review the address list.

Ensure it conforms to organizational and mission requirements.

If the address list is not configured to organizational standards, this is a finding. For example: Match Address *,!192.0.2.0/16. This blocks everything but the 192.0 network.

# tail /etc/ssh/sshd_config

At the end of the file, determine if the line following the "Match Address" is "MaxAuthTries 0".

If the line is not following "Match Address" is not "MaxAuthTries" or does not have the value of 0 (zero), then this is a finding.

Fix Text (F-97407r1_fix)
The root role is required. Modify the sshd_config file: # pfedit /etc/ssh/sshd_config Locate the bottom of the file. Insert or modify the lines: Match Address [blocked and permitted network address list here] MaxAuthTries 0 Restart the SSH service: # svcadm restart svc:/network/ssh Note: OpenSSH MaxAuthTries of 0 maps to immediate failure and this must follow the "Match Address" line with no lines below it.

Fix Text (F-97407r1_fix)

The root role is required.

Modify the sshd_config file:

# pfedit /etc/ssh/sshd_config

Locate the bottom of the file.

Insert or modify the lines:

Match Address [blocked and permitted network address list here]
MaxAuthTries 0

Restart the SSH service:

# svcadm restart svc:/network/ssh

Note: OpenSSH MaxAuthTries of 0 maps to immediate failure and this must follow the "Match Address" line with no lines below it.