Check: RHEL-09-255035
RHEL 9 STIG:
RHEL-09-255035
(in version v1 r1)
Title
RHEL 9 SSHD must accept public key authentication. (Cat II impact)
Discussion
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. A DOD CAC with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055
Check Content
Verify that RHEL 9 SSH daemon accepts public key encryption with the following command: $ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config PubkeyAuthentication yes If "PubkeyAuthentication" is set to no, the line is commented out, or the line is missing, this is a finding.
Fix Text
To configure the system add or modify the following line in "/etc/ssh/sshd_config". PubkeyAuthentication yes Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service
Additional Identifiers
Rule ID: SV-257983r925936_rule
Vulnerability ID: V-257983
Group Title: SRG-OS-000105-GPOS-00052
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000765 |
The information system implements multifactor authentication for network access to privileged accounts. |
CCI-000766 |
The information system implements multifactor authentication for network access to non-privileged accounts. |
CCI-000767 |
The information system implements multifactor authentication for local access to privileged accounts. |
CCI-000768 |
The information system implements multifactor authentication for local access to non-privileged accounts. |