Check: ESXI-67-000029
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000029
(in versions v1 r3 through v1 r1)
Title
The ESXi host must remove keys from the SSH authorized_keys file. (Cat II impact)
Discussion
ESXi hosts come with SSH, which can be enabled to allow remote access without requiring user authentication. To enable password-free access, copy the remote user's public key into the "/etc/ssh/keys-root/authorized_keys" file on the ESXi host. The presence of the remote user's public key in the "authorized_keys" file identifies the user as trusted, meaning the user is granted access to the host without providing a password. If using Lockdown Mode and SSH is disabled, then logon with authorized keys will have the same restrictions as username/password.
Check Content
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # ls -la /etc/ssh/keys-root/authorized_keys or # cat /etc/ssh/keys-root/authorized_keys If the "authorized_keys" file exists and is not empty, this is a finding.
Fix Text
From an SSH session connected to the ESXi host, or from the ESXi shell, zero out or remove the /etc/ssh/keys-root/authorized_keys file: # >/etc/ssh/keys-root/authorized_keys or # rm /etc/ssh/keys-root/authorized_keys
Additional Identifiers
Rule ID: SV-239284r674781_rule
Vulnerability ID: V-239284
Group Title: SRG-OS-000480-VMM-002000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |