The SSH daemon, sshd
, provides secure, encrypted access to Linux servers.
The STIG has several requirements for ssh server configuration and these
requirements are applied by default by the role. To opt-out or change these
requirements, see the section under the ## ssh server (sshd)
comment in
defaults/main.yml
.
There is one deviation from the STIG for the PermitRootLogin
configuration option. The STIG requires that direct root logins are
disabled, and this is the recommended setting for secure production
environments.
However, this can cause problems in some existing environments and the
default for the role is to set it to yes
(direct root logins allowed).
All of the tasks for these STIG requirements are included in
tasks/rhel7stig/sshd.yml
.
The PermitEmptyPasswords
configuration will be set to no
in
/etc/ssh/sshd_config
and sshd will be restarted. This disallows logins over
ssh for users with a empty or null password set.
Deployers can opt-out of this change by setting the following Ansible variable:
security_sshd_disallow_empty_password: no
The PermitUserEnvironment
configuration is set to no
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_disallow_environment_override: no
The HostbasedAuthentication
configuration is set to no
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_disallow_host_based_auth: no
The Ciphers
configuration is set to aes128-ctr,aes192-ctr,aes256-ctr
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can change the list of ciphers by setting the following Ansible variable:
security_sshd_cipher_list: 'cipher1,cipher2,cipher3'
The tasks in the security role deploy a standard notice and consent banner into
/etc/motd
on each server. Ubuntu, CentOS, Red Hat Enterprise Linux,
openSUSE Leap and SUSE Linux Enterprise display this banner after each successful
login via ssh or the console.
Deployers can choose a different destination for the banner by setting the following Ansible variable:
security_sshd_banner_file: /etc/motd
The message is customized with the following Ansible variable:
security_login_banner_text: |
------------------------------------------------------------------------------
* WARNING *
* You are accessing a secured system and your actions will be logged along *
* with identifying information. Disconnect immediately if you are not an *
* authorized user of this system. *
------------------------------------------------------------------------------
The STIG has a requirement that the sshd
daemon is running and enabled at
boot time. The tasks in the security role ensure that these requirements are
met.
Some deployers may not have sshd
enabled on highly specialized systems and
those deployers should opt out of this change by setting the following Ansible
variable:
security_enable_sshd: no
Note
Setting security_enable_sshd
to no
causes the tasks to ignore the
state of the service entirely. A setting of no
does not stop or alter
the sshd
service.
The ClientAliveInterval
configuration is set to 600
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can adjust the length of the interval by changing the following Ansible variable:
security_sshd_client_alive_interval: 600
Note
The STIG requires that ClientAliveInterval
is set to 600 and
ClientAliveCountMax
is set to zero, which sets a 10 minute session
timeout. If no data is transferred in a 10 minute period, the session is
disconnected.
The ClientAliveInterval
specifies how long the ssh daemon waits
before it sends a message to the client to see if it is still alive. The
ClientAliveCountMax
specifies how many of these messages are sent
without receiving a response.
Deployers should refer to All network connections associated with SSH traffic must terminate after a period of inactivity. (V-72241) to customize the
ClientAliveCountMax
setting.
This STIG is already applied by the changes for The SSH daemon must not allow authentication using known hosts authentication. (V-72249).
The ClientAliveCountMax
configuration is set to 0
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can adjust the maximum amount of client alive intervals by changing the following Ansible variable.
security_sshd_client_alive_count_max: 0
Note
The STIG requires that ClientAliveInterval
is set to 600 and
ClientAliveCountMax
is set to zero, which sets a 10 minute session
timeout. If no data is transferred in a 10 minute period, the session is
disconnected.
The ClientAliveInterval
specifies how long the ssh daemon waits
before it sends a message to the client to see if it is still alive. The
ClientAliveCountMax
specifies how many of these messages are sent
without receiving a response.
Deployers should refer to All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. (V-72237) to customize the
ClientAliveInterval
setting.
The IgnoreRhosts
configuration is set to yes
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_disallow_rhosts_auth: no
The PrintLastLog
configuration is set to yes
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_print_last_log: no
The PermitRootLogin
configuration is set to no
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_permit_root_login: no
Warning
Ensure that a regular user account exists with a pathway to root access
(preferably via sudo
) before applying the security role. This
configuration change disallows any direct logins with the root
user.
The IgnoreUserKnownHosts
configuration is set to yes
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_disallow_known_hosts_auth: no
The Protocol
configuration is set to 2
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_protocol: 2
Warning
There is no reason to enable any other protocol than SSHv2. SSHv1 has multiple vulnerabilities, and it is no longer widely used.
The MACs
configuration is set to hmac-sha2-256,hmac-sha2-512
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can adjust the allowed Message Authentication Codes (MACs) by setting the following Ansible variable:
security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512'
The permissions on ssh public host keys is set to 0644
. If the existing
permissions are more restrictive than 0644
, the tasks do not make changes
to the files.
The permissions on ssh private host keys is set to 0600
. If the existing
permissions are more restrictive than 0600
, the tasks do not make changes
to the files.
The GSSAPIAuthentication
setting is set to no
to meet the requirements
of the STIG.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_disallow_gssapi: no
The KerberosAuthentication
configuration is set to no
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_disable_kerberos_auth: no
The StrictModes
configuration is set to yes
in /etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_enable_strict_modes: no
The UsePrivilegeSeparation
configuration is set to sandbox
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_enable_privilege_separation: no
Note
Although the STIG requires this setting to be yes
, the sandbox
setting actually provides more security because it enables privilege
separation during the early authentication process.
The Compression
configuration is set to delayed
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can choose another option by setting the following Ansible variable:
security_sshd_compression: 'no'
Note
The following are the available settings for Compression
in the ssh
configuration file:
delayed
: Compression is enabled after authentication.no
: Compression is disabled.yes
: Compression is enabled during authentication and during the
session (not allowed by the STIG).The delayed
option balances security with performance and is an
approved option in the STIG.
This control is implemented by the tasks for another control:
The X11Forwarding
configuration is set to yes
in
/etc/ssh/sshd_config
and sshd is restarted.
Deployers can opt out of this change by setting the following Ansible variable:
security_sshd_enable_x11_forwarding: no
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.