The SSH daemon must be configured to use SAF keyrings for key storage.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-69237	ZSSH0050	SV-83859r1_rule		Medium

Description
The use of SAF Key Rings for key storage enforces organizational access control policies and assures the protection of cryptographic keys in storage.

STIG	Date
z/OS ACF2 STIG	2019-12-12

Details

Check Text ( C-70111r1_chk )
Locate the SSH daemon configuration file. May be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active there is no finding. Examine the file. Ensure the following are either not coded or commented out: #HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key #HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key Locate the z/OS-specific sshd server system-wide configuration file. zos_sshd_config May be found in /etc/ssh/ directory. Ensure that a HostKeyRingLabel line is coded and not commented out. If either of the above is not true this is a finding.

Check Text ( C-70111r1_chk )

Locate the SSH daemon configuration file.
May be found in /etc/ssh/ directory.
Alternately:
From UNIX System Services ISPF Shell navigate to ribbon select tools.
Select option 1 - Work with Processes.

If SSH Daemon is not active there is no finding.

Examine the file.
Ensure the following are either not coded or commented out:
#HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
#HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

Locate the z/OS-specific sshd server system-wide configuration file.
zos_sshd_config

May be found in /etc/ssh/ directory.

Ensure that a HostKeyRingLabel line is coded and not commented out.

If either of the above is not true this is a finding.

Fix Text (F-75867r1_fix)
Configure the SSH Daemon configuration file with the following statements Ensure that the following is either not coded or comment out. #HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key #HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key Configure the zos_sshd_config with the HostKeyRingLabel Statement. Example: HostKeyRingLabel="SSHDAEM/SSHDring my label"

Fix Text (F-75867r1_fix)

Configure the SSH Daemon configuration file with the following statements

Ensure that the following is either not coded or comment out.
#HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
#HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

Configure the zos_sshd_config with the HostKeyRingLabel Statement.

Example:
HostKeyRingLabel="SSHDAEM/SSHDring my label"