Blame SOURCES/scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch

df3ea4
From 44d270133421722ac0dfa0af9756b73d582f4d56 Mon Sep 17 00:00:00 2001
df3ea4
From: Gabe <redhatrises@gmail.com>
df3ea4
Date: Fri, 8 Dec 2017 11:59:13 -0700
df3ea4
Subject: [PATCH] Deprecate RhostsRSAAuthentication as it have been deprecated
df3ea4
 in 7.4
df3ea4
df3ea4
- Fixes #2478
df3ea4
---
df3ea4
 shared/checks/oval/sshd_disable_rhosts_rsa.xml | 7 +++++--
df3ea4
 shared/xccdf/services/ssh.xml                  | 9 +++++++++
df3ea4
 2 files changed, 14 insertions(+), 2 deletions(-)
df3ea4
df3ea4
diff --git a/shared/checks/oval/sshd_disable_rhosts_rsa.xml b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
df3ea4
index d7e00fafc..2abf88c70 100644
df3ea4
--- a/shared/checks/oval/sshd_disable_rhosts_rsa.xml
df3ea4
+++ b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
df3ea4
@@ -15,8 +15,11 @@
df3ea4
       <criteria comment="sshd is installed and configured" operator="AND">
df3ea4
         
df3ea4
         definition_ref="sshd_required_or_unset" />
df3ea4
-        
df3ea4
-        negate="true" test_ref="test_sshd_disable_rhosts_rsa" />
df3ea4
+        <criteria comment="SSH version is equal or higher than 7.4 has deprecated RhostsRSAAuthentication" operator="OR">
df3ea4
+          <extend_definition comment="OpenSSH version 7.4 or higher has deprecated RhostsRSAAuthentication" definition_ref="sshd_version_equal_or_higher_than_74" />
df3ea4
+          
df3ea4
+          negate="true" test_ref="test_sshd_disable_rhosts_rsa" />
df3ea4
+        </criteria>
df3ea4
       </criteria>
df3ea4
     </criteria>
df3ea4
   </definition>
df3ea4
diff --git a/shared/xccdf/services/ssh.xml b/shared/xccdf/services/ssh.xml
df3ea4
index 6edd47ab8..53c28faa9 100644
df3ea4
--- a/shared/xccdf/services/ssh.xml
df3ea4
+++ b/shared/xccdf/services/ssh.xml
df3ea4
@@ -603,6 +603,11 @@ following line in <tt>/etc/ssh/sshd_config</tt>:
df3ea4
 
RhostsRSAAuthentication no
df3ea4
 </description>
df3ea4
 <ocil>
df3ea4
+To check which SSH protocol version is allowed, check version of
df3ea4
+<tt>openssh-server</tt> with following command:
df3ea4
+
$ rpm -qi openssh-server | grep Version
df3ea4
+Versions equal to or higher than 7.4 have deprecated the <tt>RhostsRSAAuthentication</tt> option.
df3ea4
+If version is lower than 7.4, run the following command to check configuration:
df3ea4
 <sshd-check-macro option="RhostsRSAAuthentication" value="no" default="yes" />
df3ea4
 </ocil>
df3ea4
 <rationale>
df3ea4
@@ -610,6 +615,10 @@ Configuring this setting for the SSH daemon provides additional
df3ea4
 assurance that remove login via SSH will require a password, even
df3ea4
 in the event of misconfiguration elsewhere.
df3ea4
 </rationale>
df3ea4
+<warning category="general">As of <tt>openssh-server</tt> version <tt>7.4</tt> and above,
df3ea4
+the <tt>RhostsRSAAuthentication</tt> option has been deprecated, and the line
df3ea4
+
RhostsRSAAuthentication no
in <tt>/etc/ssh/sshd_config</tt> is not
df3ea4
+necessary.</warning>
df3ea4
 <ident prodtype="rhel7" cce="80373-4" />
df3ea4
 <oval id="sshd_disable_rhosts_rsa" value="sshd_required" />
df3ea4
 <ref prodtype="rhel7" stigid="040330" />