RHEL 9 SSH public host key files must have mode 0644 or less permissive.

STIG ID: RHEL-09-255125  |  SRG: SRG-OS-000480-GPOS-00227 | Severity: medium |  CCI: CCI-000366

Vulnerability Discussion

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

Check

Verify the SSH public host key files have a mode of "0644" or less permissive with the following command:

Note: SSH public key files may be found in other directories on the system depending on the installation.

$ sudo stat -c "%a %n" /etc/ssh/*.pub

644 /etc/ssh/ssh_host_dsa_key.pub
644 /etc/ssh/ssh_host_ecdsa_key.pub
644 /etc/ssh/ssh_host_ed25519_key.pub
644 /etc/ssh/ssh_host_rsa_key.pub

If any key.pub file has a mode more permissive than "0644", this is a finding.

Fix

Change the mode of public host key files under "/etc/ssh" to "0644" with the following command:

$ sudo chmod 0644 /etc/ssh/*key.pub

Restart the SSH daemon for the changes to take effect:

$ sudo systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.