STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

V-269266

CAT II (Medium)

AlmaLinux OS 9 SSH public host key files must have mode 0644 or less permissive.

Rule ID

SV-269266r1050148_rule

STIG

Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

Version

V1R6

CCIs

CCI-000366

Discussion

If a public host key file is modified by an unauthorized user, the SSH service may be compromised. Whilst public keys are publicly readable, they should not be writeable by nonowners.

Check Content

Verify the SSH public host key files have a mode of "0644" or less permissive with the following command:

Note: SSH public key files may be found in other directories on the system depending on the installation.

$ stat -c "%#a %n" /etc/ssh/ssh_host*key.pub

0644 /etc/ssh/ssh_host_ecdsa_key.pub
0644 /etc/ssh/ssh_host_rsa_key.pub

If any public key has a mode more permissive than "0644", this is a finding.

Fix Text

Change the mode of public host key files under "/etc/ssh" to "0644" with the following command:

$ chmod 0644 /etc/ssh/*key.pub

Restart the SSH daemon for the changes to take effect:

$ systemctl restart sshd.service