UCF STIG Viewer Logo

The SSH daemon must be configured to only use the SSHv2 protocol.


Overview

Finding ID Version Rule ID IA Controls Severity
GEN005500-ESXI5-9990 GEN005500-ESXI5-9990 GEN005500-ESXI5-9990_rule High
Description
SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. Permanent not a finding - v2 is used.
STIG Date
VMware ESXi v5 Security Technical Implementation Guide 2013-01-15

Details

Check Text ( C-GEN005500-ESXI5-9990_chk )
Disable lock down mode.
Enable the ESXi Shell.

Check the SSH daemon configuration for required protocol. # grep -i "Protocol 2" /etc/ssh/sshd_config | grep -v '^#'

Re-enable lock down mode.

If no lines are returned, or the returned protocol list contains anything except 2, this is a finding.
Fix Text (F-GEN005500-ESXI5-9990_fix)
Disable lock down mode.
Enable the ESXi Shell.

Edit the SSH daemon configuration and add/modify the "Protocol" configuration for Protocol 2 only.
# vi /etc/ssh/sshd_config

Re-enable lock down mode.