STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Red Hat Enterprise Linux 10 Security Technical Implementation Guide

V-281085

CAT II (Medium)

RHEL 10 must enforce mode "0600" or less permissive for Secure Shell (SSH) private host key files.

Rule ID

SV-281085r1195409_rule

STIG

Red Hat Enterprise Linux 10 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000213

Discussion

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

Check Content

Verify RHEL 10 enforces mode "0600" for SSH private host key files with the following command:

$ sudo stat -c "%a %n" /etc/ssh/*_key
600 /etc/ssh/ssh_host_ecdsa_key
600 /etc/ssh/ssh_host_ed25519_key
600 /etc/ssh/ssh_host_rsa_key

If any private host key file has a mode more permissive than "0600", this is a finding.

Fix Text

Configure RHEL 10 to enforce mode "0600" for SSH private host key files with the following command:

$ sudo chmod 0600 /etc/ssh/ssh_host*key

Restart the SSH daemon for the changes to take effect:

$ sudo systemctl restart sshd.service