Navigate

Check: RHEL-06-000227

Red Hat Enterprise Linux 6 STIG: RHEL-06-000227 (in versions v2 r2 through v1 r14)

Title

The SSH daemon must be configured to use only the SSHv2 protocol. (Cat I impact)

Discussion

SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.

Check Content

To check which SSH protocol version is allowed, run the following command: # grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 If it is not, this is a finding.

Fix Text

Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears: Protocol 2

Additional Identifiers

Rule ID: SV-217994r603264_rule

Vulnerability ID: V-217994

Group Title: SRG-OS-000112

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000774	The information system uses organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
CCI-001941	The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
CCI-001942	The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-2 (8)	Network Access To Privileged Accounts - Replay Resistant
IA-2 (9)	Network Access To Non-Privileged Accounts - Replay Resistant