RHEL 10 must be configured so that Secure Shell (SSH) public host key files have mode "0644" or less permissive.

STIG ID: RHEL-10-700500  |  SRG: SRG-OS-000445-GPOS-00199 |  Severity: medium (CAT II)  |  CCI: CCI-002696 |  Vulnerability Id: V-281253

Vulnerability Discussion

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

Check

Verify RHEL 10 SSH public host key files have a mode of "0644" or less permissive with the following command:

Note: SSH public key files may be found in other directories on the system depending on the installation.

$ sudo stat -c "%a %n" /etc/ssh/*.pub
644 /etc/ssh/ssh_host_dsa_key.pub
644 /etc/ssh/ssh_host_ecdsa_key.pub
644 /etc/ssh/ssh_host_ed25519_key.pub
644 /etc/ssh/ssh_host_rsa_key.pub

If any "key.pub" file has a mode more permissive than "0644", this is a finding.

Fix

Configure RHEL 10 SSH public host key files to have mode "0644" or less permissive.

Change the mode of public host key files under "/etc/ssh" to "0644" with the following command:

$ sudo chmod 0644 /etc/ssh/*key.pub

Restart the SSH daemon with the following command for the changes to take effect:

$ sudo systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.