The SSH daemon must perform strict mode checking of home directory configuration files.

STIG ID: ALMA-09-024770  |  SRG: SRG-OS-000480-GPOS-00230 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269299

Vulnerability Discussion

If other users have access to modify user-specific SSH configuration files or read keys, they may be able to log into the system as another user.

Check

Verify the SSH daemon performs strict mode checking of home directory configuration files with the following command:

$ sshd -T | grep strictmodes

strictmodes yes

If the "StrictModes" keyword is set to "no", or no output is returned, this is a finding.

Fix

To configure the SSH daemon to perform strict mode checking of home directory configuration files, add or modify the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":

StrictModes yes

Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:

$ echo "StrictModes yes" > /etc/ssh/sshd_config.d/strictmodes.conf

Restart the SSH daemon for the settings to take effect:

$ systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.