← Back to Red Hat Enterprise Linux 9 Security Technical Implementation Guide

V-258011

CAT II (Medium)

RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.

Rule ID

SV-258011r1045079_rule

STIG

Red Hat Enterprise Linux 9 Security Technical Implementation Guide

Version

V2R8

CCIs

CCI-000366

Discussion

When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the "DISPLAY" environment variable to localhost. This prevents remote hosts from connecting to the proxy display.

Check Content

Verify the SSH daemon prevents remote hosts from connecting to the proxy display with the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*x11uselocalhost'

X11UseLocalhost yes

If the "X11UseLocalhost" keyword is set to "no", is missing, or is commented out, this is a finding.

Fix Text

Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.

Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d", or uncomment the line and set the value to "yes":

X11UseLocalhost yes

The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service