MEDIUM M1: SSHD Configuration P2
Overview
This remediation applies comprehensive SSH daemon hardening settings to improve security posture.
Settings
| Setting | Value | Description |
|---|---|---|
PermitRootLogin |
no |
Disable direct root SSH access |
GSSAPIAuthentication |
no |
Disable GSSAPI authentication |
IgnoreRhosts |
yes |
Disable rhost authentication |
IgnoreUserKnownHosts |
yes |
Ignore userβs known_hosts file |
PermitUserEnvironment |
no |
Block user environment variable passing |
StrictModes |
yes |
Enable strict mode checking |
PrintLastLog |
yes |
Display last login information |
Implementation
The remediation applies a MachineConfig with SSHD hardening:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-sshd-medium
labels:
machineconfiguration.openshift.io/role: master
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- path: /etc/ssh/sshd_config.d/75-medium-hardening.conf
mode: 0600
overwrite: true
contents:
inline: |
# MEDIUM severity SSHD settings
PermitRootLogin no
GSSAPIAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
PermitUserEnvironment no
StrictModes yes
PrintLastLog yes
Compliance Checks Remediated
This group addresses 7 compliance checks:
| Check | Profile | Description | Docs |
|---|---|---|---|
rhcos4-e8-worker-sshd-disable-root-login |
E8 | Disable root SSH login | π |
rhcos4-e8-worker-sshd-disable-gssapi-auth |
E8 | Disable GSSAPI authentication | π |
rhcos4-e8-worker-sshd-disable-rhosts |
E8 | Disable rhosts authentication | π |
rhcos4-e8-worker-sshd-disable-user-known-hosts |
E8 | Ignore user known_hosts | π |
rhcos4-e8-worker-sshd-do-not-permit-user-env |
E8 | Block user environment | π |
rhcos4-e8-worker-sshd-enable-strictmodes |
E8 | Enable strict modes | π |
rhcos4-e8-worker-sshd-print-last-log |
E8 | Print last login | π |
Source Remediation Files
- medium/rhcos4-e8-worker-sshd-disable-root-login.yaml
- medium/rhcos4-e8-worker-sshd-disable-gssapi-auth.yaml
- medium/rhcos4-e8-worker-sshd-disable-rhosts.yaml
- medium/rhcos4-e8-worker-sshd-disable-user-known-hosts.yaml
- medium/rhcos4-e8-worker-sshd-do-not-permit-user-env.yaml
- medium/rhcos4-e8-worker-sshd-enable-strictmodes.yaml
- medium/rhcos4-e8-worker-sshd-print-last-log.yaml
Verification
After applying the MachineConfig, verify SSHD settings:
oc debug node/<node-name> -- chroot /host sshd -T | grep -E "permitrootlogin|gssapiauthentication|ignorerhosts"
# Expected output:
# permitrootlogin no
# gssapiauthentication no
# ignorerhosts yes
Related SSHD Groups
Other SSHD hardening groups:
- H3: SSHD Empty Passwords - HIGH severity (in progress)
- L1: SSHD LogLevel - LOW severity (pending)