Verify Ownership on SSH Server Public *.pub Key Files
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
SSH server public keys, files that match the /etc/ssh/*.pub glob, must be owned
by root user.
If a public host key file is modified by an unauthorized user, the SSH service
may be compromised.
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\.pub$' -exec chown 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
The following playbook can be run with Ansible to remediate the issue.
- name: Find /etc/ssh/ file(s) matching ^.*\.pub$
command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex "^.*\.pub$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86128-6
- configure_strategy
- file_ownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/ssh/ file(s) matching ^.*\.pub$
file:
path: '{{ item }}'
owner: '0'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86128-6
- configure_strategy
- file_ownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
