RHEL 10 must enforce mode "0600" or less permissive for Secure Shell (SSH) private host key files.

STIG ID: RHEL-10-400340  |  SRG: SRG-OS-000080-GPOS-00048 |  Severity: medium (CAT II)  |  CCI: CCI-000213 |  Vulnerability Id: V-281085

Vulnerability Discussion

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

Check

Verify RHEL 10 enforces mode "0600" for SSH private host key files with the following command:

$ sudo stat -c "%a %n" /etc/ssh/*_key
600 /etc/ssh/ssh_host_ecdsa_key
600 /etc/ssh/ssh_host_ed25519_key
600 /etc/ssh/ssh_host_rsa_key

If any private host key file has a mode more permissive than "0600", this is a finding.

Fix

Configure RHEL 10 to enforce mode "0600" for SSH private host key files with the following command:

$ sudo chmod 0600 /etc/ssh/ssh_host*key

Restart the SSH daemon for the changes to take effect:

$ sudo systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.