The Ubuntu operating system must enforce SSHv2 for network access to all accounts.

From Canonical Ubuntu 16.04 Security Technical Implementation Guide

Part of SRG-OS-000112-GPOS-00057

Associated with: CCI-001941 CCI-001942

SV-90503r1_rule The Ubuntu operating system must enforce SSHv2 for network access to all accounts.

Vulnerability discussion

A replay attack may enable an unauthorized user to gain access to the Ubuntu operating system. Authentication sessions between the authenticator and the Ubuntu operating system validating the user credentials must not be vulnerable to a replay attack.An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.A privileged account is any information system account with authorizations of a privileged user.Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058

Check content

Verify that the Ubuntu operating system enforces SSH protocol 2 for network access. Check the protocol versions that SSH allows with the following command: #grep -i protocol /etc/ssh/sshd_config Protocol 2 If the returned line allows for use of protocol "1", is commented out, or the line is missing, this is a finding.

Fix text

Configure the Ubuntu operating system to enforce SSHv2 for network access to all accounts. Add or update the following line in the "/etc/ssh/sshd_config" file: Protocol 2 Restart the ssh service. # systemctl restart sshd.service

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer