mediumaccess-controlunverified
Ensure SSH private host keys are mode 0600 or less permissive (RHEL 10 STIG)
ssh-host-key-permissions · RHEL ≥ 10 · 1 impl
Description
On RHEL 10, the STIG requires every SSH private host key under /etc/ssh (ssh_host_*_key) to have a file mode of "0600" or less permissive — stricter than the 0640 root:ssh_keys form the CIS benchmark and earlier STIGs accept.
Rationale
SSH private host keys authenticate the server to connecting clients. A key readable by any account other than the owner can be copied and used to impersonate the host in a man-in-the-middle attack. The RHEL 10 STIG tightens the requirement to 0600 (owner-only). This rule is the STIG-strict companion to ssh-private-key-permissions, which enforces the more permissive CIS form; a key at 0600 satisfies both.
Check → Remediate
Checkcommand
# -perm /0177 matches any key with owner-execute, or any group/other
# bit set — i.e. more permissive than 0600.
if find /etc/ssh/ssh_host_*_key -type f -perm /0177 2>/dev/null | grep -q .; then
echo "FAIL: an SSH private host key is more permissive than 0600"
find /etc/ssh/ssh_host_*_key -type f -perm /0177 2>/dev/null | while read -r k; do
echo " $(stat -c '%a %n' "$k" 2>/dev/null)"
done
exit 1
fi
echo "OK: all SSH private host keys are 0600 or less permissive"
exit 0
- expected_exit:
- 0
Remediatecommand_exec
find /etc/ssh/ssh_host_*_key -type f -exec chmod 0600 {} + 2>/dev/null || trueFramework references
STIG
V-281085 / RHEL-10-400340
NIST 800-53
IA-5(2)
#ssh#host-key#permissions#stig