5.2.3 Ensure permissions on SSH public host key files are configured
Audit#
Run the following command and verify Access does not grant write or execute permissions to group or other for all returned files:
Example output:
File: ‘/etc/ssh/ssh_host_rsa_key.pub’
Size: 382 Blocks: 8 IO Block: 4096 regular file
Device: ca01h/51713d Inode: 8631758 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-10-22 18:24:56.861750616 +0000
Modify: 2018-10-22 18:24:56.861750616 +0000
Change: 2018-10-22 18:24:56.881750616 +0000
Birth: -
File: ‘/etc/ssh/ssh_host_ecdsa_key.pub’
Size: 162 Blocks: 8 IO Block: 4096 regular file
Device: ca01h/51713d Inode: 8631761 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-10-22 18:24:56.897750616 +0000
Modify: 2018-10-22 18:24:56.897750616 +0000
Change: 2018-10-22 18:24:56.917750616 +0000
Birth: -
File: ‘/etc/ssh/ssh_host_ed25519_key.pub’
Size: 82 Blocks: 8 IO Block: 4096 regular file
Device: ca01h/51713d Inode: 8631763 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-10-22 18:24:56.945750616 +0000
Modify: 2018-10-22 18:24:56.945750616 +0000
Change: 2018-10-22 18:24:56.961750616 +0000
Birth: -
Remediation#
Run the following commands to set permissions and ownership on the SSH host public key files
# find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod u-x,gowx {} \;
# find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \;
Default Value:
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)