Title

RHEL 9 SSHD must accept public key authentication. (Cat II impact)

Discussion

Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. A DOD common access card (CAC) with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055

Check Content

Note: If the system administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is Not Applicable. Verify that RHEL 9 SSH daemon accepts public key encryption with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*pubkeyauthentication' PubkeyAuthentication yes If "PubkeyAuthentication" is set to no, the line is commented out, or the line is missing, this is a finding.

Fix Text

To configure the system, add or modify the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d". PubkeyAuthentication yes Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service

Additional Identifiers

Rule ID: SV-257983r1045024_rule

Vulnerability ID: V-257983

Group Title: SRG-OS-000105-GPOS-00052

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.