The SSH daemon must be configured to only use the SSHv2 protocol.

From Red Hat Enterprise Linux 7 Security Technical Implementation Guide

Part of SRG-OS-000074-GPOS-00042

Associated with: CCI-000197 CCI-000366

SV-86875r3_rule The SSH daemon must be configured to only use the SSHv2 protocol.

Vulnerability discussion

SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227

Check content

Check the version of the operating system with the following command: # cat /etc/redhat-release If the release is 7.4 or newer this requirement is Not Applicable. Verify the SSH daemon is configured to only use the SSHv2 protocol. Check that the SSH daemon is configured to only use the SSHv2 protocol with the following command: # grep -i protocol /etc/ssh/sshd_config Protocol 2 #Protocol 1,2 If any protocol line other than "Protocol 2" is uncommented, this is a finding.

Fix text

Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows: Protocol 2 The SSH service must be restarted for changes to take effect.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer