← Back to Red Hat Enterprise Linux 9 Security Technical Implementation Guide

V-258008

CAT II (Medium)

RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files.

Rule ID

SV-258008r1045075_rule

STIG

Red Hat Enterprise Linux 9 Security Technical Implementation Guide

Version

V2R8

CCIs

CCI-000366

Discussion

If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.

Check Content

Verify the SSH daemon performs strict mode checking of home directory configuration files with the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*strictmodes'

StrictModes yes

If the "StrictModes" keyword is set to "no", the returned line is commented out, or no output is returned, this is a finding.

Fix Text

Configure the SSH daemon to perform strict mode checking of home directory configuration files.

Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d", or uncomment the line and set the value to "yes":

StrictModes yes

The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service