mediumaccess-controlverified ✓rollback-safe
Set permissions on SSH public host keys
ssh-public-key-permissions · RHEL ≥ 8 · 1 impl
Description
SSH public host key files must have appropriate permissions to prevent unauthorized modification. The public keys under /etc/ssh/ are used by clients to verify the server's identity and must not be writable by unprivileged users.
Rationale
If an attacker can modify a server's SSH public host key files, they can replace them with keys whose corresponding private keys they control. Clients that trust the modified public key would then accept connections to an attacker-controlled server, enabling man-in-the-middle interception of credentials and session data.
Check → Remediate
Checkcommand
find /etc/ssh/ssh_host_*_key.pub -type f \( ! -perm 644 -o ! -user root -o ! -group root \) 2>/dev/null | head -1
- expected_exit:
- 0
Remediatefile_permissions
- path:
- /etc/ssh/ssh_host_*_key.pub
- owner:
- root
- group:
- root
- mode:
- 0644
- glob:
- ssh_host_*_key.pub
Framework references
CIS
rhel10 5.1.3rhel8 5.1.5rhel9 5.1.3
STIG
V-281253 / RHEL-10-700500V-230286 / RHEL-08-010480V-258001 / RHEL-09-255125
NIST 800-53
AC-6SC-28
Live verification
rhel10:checkrhel8:checkrhel9:check
#ssh#file-permissions#host-keys