Profile Applicability:
• Level 1
Description:
SSH private host key files are critical for securing SSH server authentication. Proper permissions prevent unauthorized users from accessing these keys, which could compromise the server’s identity and security.
Rationale:
Restricting access to SSH private host keys protects against key theft and unauthorized SSH access, maintaining the integrity and trustworthiness of SSH connections.
Impact:
Pros:
Protects SSH server authentication keys.
Prevents unauthorized SSH access via stolen keys.
Cons:
Incorrect permissions may cause SSH service failures.
Default Value:
SSH private keys may have overly permissive permissions if not configured properly.
Pre-requisites:
Root or sudo privileges to modify file permissions.
Remediation:
Test Plan:
Using Linux command line:
Identify SSH private host key files, typically located in /etc/ssh/ (e.g., ssh_host_rsa_key, ssh_host_ecdsa_key, ssh_host_ed25519_key):
ls -l /etc/ssh/ssh_host_*_key
Verify permissions and ownership of each key file.
Implementation Plan:
Using Linux command line:
Set ownership to root and restrict permissions to 600 on all private host key files:
chown root:root /etc/ssh/ssh_host_*_key
chmod 600 /etc/ssh/ssh_host_*_key
Verify the changes:
ls -l /etc/ssh/ssh_host_*_key
Backout Plan:
Using Linux command line:
Restore previous ownership and permissions if necessary.
Verify SSH service functionality after changes.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
OpenSSH Manual