The TOSS SSH public host key files must have mode 0644 or less permissive.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253108	TOSS-04-040670	SV-253108r991589_rule		Medium

Description
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

STIG	Date
Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide	2024-05-30

Details

Check Text ( C-56561r824994_chk )
Verify the SSH public host key files have mode "0644" or less permissive with the following command: $ sudo ls -l /etc/ssh/*.pub -rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub If any key.pub file has a mode more permissive than "0644", this is a finding. Note: SSH public key files may be found in other directories on the system depending on the installation.

Check Text ( C-56561r824994_chk )

Verify the SSH public host key files have mode "0644" or less permissive with the following command:

$ sudo ls -l /etc/ssh/*.pub

-rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub
-rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub
-rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub

If any key.pub file has a mode more permissive than "0644", this is a finding.

Note: SSH public key files may be found in other directories on the system depending on the installation.

Fix Text (F-56511r824995_fix)
Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: $ sudo chmod 0644 /etc/ssh/*key.pub The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service