Check: GEN005533
VMware ESX 3 Server:
GEN005533
(in version v1 r2)
Title
The SSH daemon must limit connections to a single session. (Cat III impact)
Discussion
The SSH protocol has the ability to provide multiple sessions over a single connection without reauthentication. A compromised client could use this feature to establish additional sessions to a system without consent or knowledge of the user. Alternate per-connection session limits may be documented if needed for a valid mission requirement. Greater limits are expected to be necessary in situations where TCP or X11 forwarding are used.
Check Content
Check the SSH daemon configuration for the MaxSessions setting. # grep -i MaxSessions /etc/ssh/sshd_config | grep -v '^#' If the setting is not present, or not set to 1, this is a finding.
Fix Text
Edit the SSH daemon configuration and add or edit the MaxSessions setting value to 1.
Additional Identifiers
Rule ID: SV-26776r1_rule
Vulnerability ID: V-22482
Group Title: GEN005533
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000054 |
The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions. |
Controls
Number | Title |
---|---|
AC-10 |
Concurrent Session Control |