Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-4295 | GEN005500 | SV-45997r1_rule | DCPP-1 ECSC-1 | High |
Description |
---|
SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. |
STIG | Date |
---|---|
SUSE Linux Enterprise Server v11 for System z | 2012-12-13 |
Check Text ( C-43280r1_chk ) |
---|
Locate the sshd_config file: # more /etc/ssh/sshd_config Examine the file. If the variables 'Protocol 2,1’ or ‘Protocol 1’ are defined on a line without a leading comment, this is a finding. If the SSH server is F-Secure, the variable name for SSH 1 compatibility is ‘Ssh1Compatibility’, not ‘protocol’. If the variable ‘Ssh1Compatiblity’ is set to ‘yes’, then this is a finding. |
Fix Text (F-39363r1_fix) |
---|
Edit the sshd_config file and set the "Protocol" setting to "2". If using the F-Secure SSH server, set the "Ssh1Compatibility" setting to "no". |