mediumaccess-controlverified ✓rollback-safe
Enable SSH strict mode checking
ssh-strict-modes · RHEL ≥ 8 · 2 impls
Description
The SSH daemon must verify the ownership and permissions of the user's home directory, authorized_keys file, and related configuration before accepting a login. StrictModes ensures that improperly secured files cannot be used to gain unauthorized access.
Rationale
Without strict mode checking, an attacker who gains write access to a user's home directory or .ssh folder could inject their own public key into the authorized_keys file and authenticate as that user. StrictModes prevents this by rejecting keys stored in files with overly permissive ownership or permissions.
Check → Remediate
Checksshd_effective_config
- key:
- strictmodes
- expected:
- yes
Remediateconfig_set
- path:
- /etc/ssh/sshd_config
- key:
- StrictModes
- value:
- yes
- separator:
- reload:
- sshd
Framework references
STIG
V-230288 / RHEL-08-010500V-258008 / RHEL-09-255160V-281259 / RHEL-10-700560
NIST 800-53
CM-6AC-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#ssh#authentication#file-permissions