1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
documentation_complete: true
title: 'OpenSSH Service Must Use Passcode for Their Private Keys'
description: |-
Verify the SSH private key files have a passcode.
For each private key stored on the system, use the following command:
<pre>$ sudo ssh-keygen -y -f /path/to/file</pre>
If the contents of the key are displayed, without asking a passphrase this is a finding.
rationale: |-
If an unauthorized user obtains access to a private key without a passcode, that user would
have unauthorized access to any system where the associated public key has been installed.
severity: medium
identifiers:
cce@rhel9: CCE-86194-8
cce@slmicro5: CCE-94086-6
cce@slmicro6: CCE-94668-1
references:
nist: IA-5(2),IA-5(2).1
srg: SRG-OS-000067-GPOS-00035
ocil_clause: Any contents were displayed without asking a passphrase
ocil: |-
For each private key stored on the system, use the following command:
<pre>$ sudo ssh-keygen -y -f /path/to/file</pre>
fixtext: |-
Set a passphrase to all keys that didn't have it with the following command:
<pre>$ sudo ssh-keygen -p -N passphrase -f /path/to/file</pre>
|
