← Rules Catalog
mediumaccess-controlverified rollback-safe

Enable SSH strict mode checking

ssh-strict-modes · RHEL ≥ 8 · 2 impls

Description

The SSH daemon must verify the ownership and permissions of the user's home directory, authorized_keys file, and related configuration before accepting a login. StrictModes ensures that improperly secured files cannot be used to gain unauthorized access.

Rationale

Without strict mode checking, an attacker who gains write access to a user's home directory or .ssh folder could inject their own public key into the authorized_keys file and authenticate as that user. StrictModes prevents this by rejecting keys stored in files with overly permissive ownership or permissions.

Check → Remediate

Checksshd_effective_config
key:
strictmodes
expected:
yes
Remediateconfig_set
path:
/etc/ssh/sshd_config
key:
StrictModes
value:
yes
separator:
reload:
sshd

Framework references

STIG

V-230288 / RHEL-08-010500V-258008 / RHEL-09-255160V-281259 / RHEL-10-700560

NIST 800-53

CM-6AC-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#ssh#authentication#file-permissions