skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Files

  1.   0950b51a2b23c51c62f84b615ca21268ad9beeea
  2.   SOURCES
  3.   scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch
Blob Blame History Raw 
From 44d270133421722ac0dfa0af9756b73d582f4d56 Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Fri, 8 Dec 2017 11:59:13 -0700
Subject: [PATCH] Deprecate RhostsRSAAuthentication as it have been deprecated
 in 7.4

- Fixes #2478
---
 shared/checks/oval/sshd_disable_rhosts_rsa.xml | 7 +++++--
 shared/xccdf/services/ssh.xml                  | 9 +++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/shared/checks/oval/sshd_disable_rhosts_rsa.xml b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
index d7e00fafc..2abf88c70 100644
--- a/shared/checks/oval/sshd_disable_rhosts_rsa.xml
+++ b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
@@ -15,8 +15,11 @@
       <criteria comment="sshd is installed and configured" operator="AND">
         <extend_definition comment="sshd is required and installed, or requirement is unset"
         definition_ref="sshd_required_or_unset" />
-        <criterion comment="Check RhostsRSAAuthentication in /etc/ssh/sshd_config"
-        negate="true" test_ref="test_sshd_disable_rhosts_rsa" />
+        <criteria comment="SSH version is equal or higher than 7.4 has deprecated RhostsRSAAuthentication" operator="OR">
+          <extend_definition comment="OpenSSH version 7.4 or higher has deprecated RhostsRSAAuthentication" definition_ref="sshd_version_equal_or_higher_than_74" />
+          <criterion comment="Check RhostsRSAAuthentication in /etc/ssh/sshd_config"
+          negate="true" test_ref="test_sshd_disable_rhosts_rsa" />
+        </criteria>
       </criteria>
     </criteria>
   </definition>
diff --git a/shared/xccdf/services/ssh.xml b/shared/xccdf/services/ssh.xml
index 6edd47ab8..53c28faa9 100644
--- a/shared/xccdf/services/ssh.xml
+++ b/shared/xccdf/services/ssh.xml
@@ -603,6 +603,11 @@ following line in <tt>/etc/ssh/sshd_config</tt>:
 <pre>RhostsRSAAuthentication no</pre>
 </description>
 <ocil>
+To check which SSH protocol version is allowed, check version of
+<tt>openssh-server</tt> with following command:
+<pre>$ rpm -qi openssh-server | grep Version</pre>
+Versions equal to or higher than 7.4 have deprecated the <tt>RhostsRSAAuthentication</tt> option.
+If version is lower than 7.4, run the following command to check configuration:
 <sshd-check-macro option="RhostsRSAAuthentication" value="no" default="yes" />
 </ocil>
 <rationale>
@@ -610,6 +615,10 @@ Configuring this setting for the SSH daemon provides additional
 assurance that remove login via SSH will require a password, even
 in the event of misconfiguration elsewhere.
 </rationale>
+<warning category="general">As of <tt>openssh-server</tt> version <tt>7.4</tt> and above,
+the <tt>RhostsRSAAuthentication</tt> option has been deprecated, and the line
+<pre>RhostsRSAAuthentication no</pre> in <tt>/etc/ssh/sshd_config</tt> is not
+necessary.</warning>
 <ident prodtype="rhel7" cce="80373-4" />
 <oval id="sshd_disable_rhosts_rsa" value="sshd_required" />
 <ref prodtype="rhel7" stigid="040330" />

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation