The macOS system must disable password authentication for SSH.

STIG ID: APPL-14-001150  |  SRG: SRG-OS-000067-GPOS-00035 |  Severity: high |  CCI: CCI-000186,CCI-000765,CCI-000766,CCI-000877,CCI-001941,CCI-004046,CCI-000767,CCI-000768,CCI-001948 |  Vulnerability Id: V-259477 | 

Vulnerability Discussion

If remote logon through SSH is enabled, password-based authentication must be disabled for user logon.

All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.

Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.

Satisfies: SRG-OS-000067-GPOS-00035,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057,SRG-OS-000125-GPOS-00065,SRG-OS-000375-GPOS-00160

Check

Verify the macOS system is configured to disable password authentication for SSH with the following command:

/usr/sbin/sshd -G | /usr/bin/grep -Ec '^(passwordauthentication\s+no|kbdinteractiveauthentication\s+no)'

If the result is not "2", this is a finding.

Fix

Configure the macOS system to disable password authentication for SSH with the following command:

include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
echo "passwordauthentication no" >> "${include_dir}01-mscp-sshd.conf"
echo "kbdinteractiveauthentication no" >> "${include_dir}01-mscp-sshd.conf"

for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done