Check: UBTU-16-030200
Canonical Ubuntu 16.04 LTS STIG:
UBTU-16-030200
(in versions v2 r3 through v1 r3)
Title
The Ubuntu operating system must enforce SSHv2 for network access to all accounts. (Cat I impact)
Discussion
A replay attack may enable an unauthorized user to gain access to the Ubuntu operating system. Authentication sessions between the authenticator and the Ubuntu operating system validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A privileged account is any information system account with authorizations of a privileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058
Check Content
Verify that the Ubuntu operating system enforces SSH protocol 2 for network access. Check the protocol versions that SSH allows with the following command: #grep -i protocol /etc/ssh/sshd_config Protocol 2 If the returned line allows for use of protocol "1", is commented out, or the line is missing, this is a finding.
Fix Text
Configure the Ubuntu operating system to enforce SSHv2 for network access to all accounts. Add or update the following line in the "/etc/ssh/sshd_config" file: Protocol 2 Restart the ssh service. # systemctl restart sshd.service
Additional Identifiers
Rule ID: SV-215121r610931_rule
Vulnerability ID: V-215121
Group Title: SRG-OS-000112-GPOS-00057
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001941 |
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. |
CCI-001942 |
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. |