AlmaLinux OS 9 SSH public host key files must have mode 0644 or less permissive.

STIG ID: ALMA-09-021030  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269266

Vulnerability Discussion

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

Whilst public keys are publicly readable, they should not be writeable by nonowners.

Check

Verify the SSH public host key files have a mode of "0644" or less permissive with the following command:

Note: SSH public key files may be found in other directories on the system depending on the installation.

$ stat -c "%#a %n" /etc/ssh/ssh_host*key.pub

0644 /etc/ssh/ssh_host_ecdsa_key.pub
0644 /etc/ssh/ssh_host_rsa_key.pub

If any public key has a mode more permissive than "0644", this is a finding.

Fix

Change the mode of public host key files under "/etc/ssh" to "0644" with the following command:

$ chmod 0644 /etc/ssh/*key.pub

Restart the SSH daemon for the changes to take effect:

$ systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.