|
|
df3ea4 |
From 44d270133421722ac0dfa0af9756b73d582f4d56 Mon Sep 17 00:00:00 2001
|
|
|
df3ea4 |
From: Gabe <redhatrises@gmail.com>
|
|
|
df3ea4 |
Date: Fri, 8 Dec 2017 11:59:13 -0700
|
|
|
df3ea4 |
Subject: [PATCH] Deprecate RhostsRSAAuthentication as it have been deprecated
|
|
|
df3ea4 |
in 7.4
|
|
|
df3ea4 |
|
|
|
df3ea4 |
- Fixes #2478
|
|
|
df3ea4 |
---
|
|
|
df3ea4 |
shared/checks/oval/sshd_disable_rhosts_rsa.xml | 7 +++++--
|
|
|
df3ea4 |
shared/xccdf/services/ssh.xml | 9 +++++++++
|
|
|
df3ea4 |
2 files changed, 14 insertions(+), 2 deletions(-)
|
|
|
df3ea4 |
|
|
|
df3ea4 |
diff --git a/shared/checks/oval/sshd_disable_rhosts_rsa.xml b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
|
|
|
df3ea4 |
index d7e00fafc..2abf88c70 100644
|
|
|
df3ea4 |
--- a/shared/checks/oval/sshd_disable_rhosts_rsa.xml
|
|
|
df3ea4 |
+++ b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
|
|
|
df3ea4 |
@@ -15,8 +15,11 @@
|
|
|
df3ea4 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
df3ea4 |
|
|
|
df3ea4 |
definition_ref="sshd_required_or_unset" />
|
|
|
df3ea4 |
-
|
|
|
df3ea4 |
- negate="true" test_ref="test_sshd_disable_rhosts_rsa" />
|
|
|
df3ea4 |
+ <criteria comment="SSH version is equal or higher than 7.4 has deprecated RhostsRSAAuthentication" operator="OR">
|
|
|
df3ea4 |
+ <extend_definition comment="OpenSSH version 7.4 or higher has deprecated RhostsRSAAuthentication" definition_ref="sshd_version_equal_or_higher_than_74" />
|
|
|
df3ea4 |
+
|
|
|
df3ea4 |
+ negate="true" test_ref="test_sshd_disable_rhosts_rsa" />
|
|
|
df3ea4 |
+ </criteria>
|
|
|
df3ea4 |
</criteria>
|
|
|
df3ea4 |
</criteria>
|
|
|
df3ea4 |
</definition>
|
|
|
df3ea4 |
diff --git a/shared/xccdf/services/ssh.xml b/shared/xccdf/services/ssh.xml
|
|
|
df3ea4 |
index 6edd47ab8..53c28faa9 100644
|
|
|
df3ea4 |
--- a/shared/xccdf/services/ssh.xml
|
|
|
df3ea4 |
+++ b/shared/xccdf/services/ssh.xml
|
|
|
df3ea4 |
@@ -603,6 +603,11 @@ following line in <tt>/etc/ssh/sshd_config</tt>:
|
|
|
df3ea4 |
RhostsRSAAuthentication no
|
|
|
df3ea4 |
</description>
|
|
|
df3ea4 |
<ocil>
|
|
|
df3ea4 |
+To check which SSH protocol version is allowed, check version of
|
|
|
df3ea4 |
+<tt>openssh-server</tt> with following command:
|
|
|
df3ea4 |
+$ rpm -qi openssh-server | grep Version
|
|
|
df3ea4 |
+Versions equal to or higher than 7.4 have deprecated the <tt>RhostsRSAAuthentication</tt> option.
|
|
|
df3ea4 |
+If version is lower than 7.4, run the following command to check configuration:
|
|
|
df3ea4 |
<sshd-check-macro option="RhostsRSAAuthentication" value="no" default="yes" />
|
|
|
df3ea4 |
</ocil>
|
|
|
df3ea4 |
<rationale>
|
|
|
df3ea4 |
@@ -610,6 +615,10 @@ Configuring this setting for the SSH daemon provides additional
|
|
|
df3ea4 |
assurance that remove login via SSH will require a password, even
|
|
|
df3ea4 |
in the event of misconfiguration elsewhere.
|
|
|
df3ea4 |
</rationale>
|
|
|
df3ea4 |
+<warning category="general">As of <tt>openssh-server</tt> version <tt>7.4</tt> and above,
|
|
|
df3ea4 |
+the <tt>RhostsRSAAuthentication</tt> option has been deprecated, and the line
|
|
|
df3ea4 |
+RhostsRSAAuthentication no in <tt>/etc/ssh/sshd_config</tt> is not
|
|
|
df3ea4 |
+necessary.</warning>
|
|
|
df3ea4 |
<ident prodtype="rhel7" cce="80373-4" />
|
|
|
df3ea4 |
<oval id="sshd_disable_rhosts_rsa" value="sshd_required" />
|
|
|
df3ea4 |
<ref prodtype="rhel7" stigid="040330" />
|