← Rules Catalog
mediumaccess-controlunverified

Ensure SSH private host keys are mode 0600 or less permissive (RHEL 10 STIG)

ssh-host-key-permissions · RHEL ≥ 10 · 1 impl

Description

On RHEL 10, the STIG requires every SSH private host key under /etc/ssh (ssh_host_*_key) to have a file mode of "0600" or less permissive — stricter than the 0640 root:ssh_keys form the CIS benchmark and earlier STIGs accept.

Rationale

SSH private host keys authenticate the server to connecting clients. A key readable by any account other than the owner can be copied and used to impersonate the host in a man-in-the-middle attack. The RHEL 10 STIG tightens the requirement to 0600 (owner-only). This rule is the STIG-strict companion to ssh-private-key-permissions, which enforces the more permissive CIS form; a key at 0600 satisfies both.

Check → Remediate

Checkcommand
# -perm /0177 matches any key with owner-execute, or any group/other
# bit set — i.e. more permissive than 0600.
if find /etc/ssh/ssh_host_*_key -type f -perm /0177 2>/dev/null | grep -q .; then
  echo "FAIL: an SSH private host key is more permissive than 0600"
  find /etc/ssh/ssh_host_*_key -type f -perm /0177 2>/dev/null | while read -r k; do
    echo "  $(stat -c '%a %n' "$k" 2>/dev/null)"
  done
  exit 1
fi
echo "OK: all SSH private host keys are 0600 or less permissive"
exit 0
expected_exit:
0
Remediatecommand_exec
find /etc/ssh/ssh_host_*_key -type f -exec chmod 0600 {} + 2>/dev/null || true

Framework references

STIG

V-281085 / RHEL-10-400340

NIST 800-53

IA-5(2)
#ssh#host-key#permissions#stig