SSH Techspec

© Copyright IBM Corporation, 1997, 2014 - All Rights Reserved
Tech Spec Review
Special Considerations for this Tech Sp

SSH Technical Spec
Document Template version :

Version - Release Levels:
Ensure the product versions reflect those supported by the client.
Notes
Tech Spec Review
Date Reviewed (mm/dd/yy)
Special Considerations for this Tech Spec

Server/System name
ORACLE RAC
SSH Technical Specification
Version 1.0 25 July 2018
• OpenSSH
• F-Secure SSH
• SSH Communications Secure Shell
• VanDyke VShell for Windows
• SunSSH (Solaris Secure Shell)
• RemotelyAnywhere for Windows
• Attachmate Reflection for Secure IT UNIX Server
• Attachmate Reflection for Secure IT Windows Server
• Bitvise WinSSHD
supported by the client.
Name(s) of Individuals
Exception to requirement (tech spec reference)

Review Comments: Role
Customer Requirement Potential Threat

B=baseline, S=healthcheck and baseline, Foundation (Y/N) Section # Section Heading System Value/ParameterDescription Recommended Value Agreed to Value
I=Informational requirement no requirement to B or S
P=Process requirement no requirement to B or S
I Y AV.1.1.0 Password Requirements Username/Password No requirements in this category No requirements in this category
Authentication
S Y AV.1.1.1 Password Requirements PermitEmptyPasswords Allows login to accounts with empty password no
strings.
(OpenSSH/F-Secure/SSH
Communications/SunSSH/Attachmate RSIT UNIX
Server Only - OS: Unix, Linux)
S Y AV.1.1.2 Password Requirements Disallow Blank Disallows login to accounts with empty password 1
Passwords strings.
(VanDyke VShell Only - OS: Windows)
S Y AV.1.1.3 Password Requirements Authentication - Allows login to accounts with empty password Must not be selected.
Password - Permit empty strings.
passwords
(Attachmate RSIT Windows Server Only - OS:
Windows)
I Y AV.1.2.1.1 Logging Note Determines the level of logging. On most OS platforms, the standard
system access logs are sufficient to
(OpenSSH/SunSSH/Attachmate RSIT UNIX Server record the required auditable records.
Only - OS: Unix, Linux)
S Y AV.1.2.1.2 Logging LogLevel Determines the level of logging. If the OS platform does not record the
required auditable records, logging must
(OpenSSH/SunSSH/Attachmate RSIT UNIX Server be performed through the syslog
Only - OS: Unix, Linux) subsystem. If logging is performed
through syslog, the LogLevel must be set
to INFO or higher. Must be set to
VERBOSE or higher if multiple keys are
S Y AV.1.2.1.3 Logging LogLevel Determines the level of logging. If anyto
used DEBUG
accesslevel is specified,
shared IDs. the
resultant log files must be accessible only
(OpenSSH/SunSSH/Attachmate RSIT UNIX Server by the superuser (e.g. root or
Only - OS: Unix, Linux) administrator) account in order to
maintain privacy of user data.
S Y AV.1.2.2 Logging QuietMode Specifies that only fatal errors should be logged. no
(F-Secure/SSH Communications Only - OS: Unix,

Linux)
S Y AV.1.2.3.1 Logging Log Topic Authentication Determines which event types are logged. 1
S Y AV.1.2.3.2 Logging Log Topic Error Determines which event types are logged. 1
S Y AV.1.2.3.3 Logging Log Topic Forward Determines which event types are logged. 1
S Y AV.1.2.3.4 Logging Log Topic Info Determines which event types are logged. 1
S Y AV.1.2.3.5 Logging Log Topic SFTP Determines which event types are logged. 1
S Y AV.1.2.3.6 Logging Log Topic Warning Determines which event types are logged. 1
S Y AV.1.2.4.1 Logging Server - Logging - Log to Configures logging to the Windows Event Log. If selected, the "Server - Logging -
Windows Event Log Windows Event Log logging level"
(Bitvise WinSSHD Only - OS: Windows) parameter must be set to at least "Errors,
Warnings".
S Y AV.1.2.4.2 Logging Server - Logging - Log to Configures logging to a log file. If selected, the "Server - Logging -
textual log file Textual log file logging level" parameter
(Bitvise WinSSHD Only - OS: Windows) must be set to at least "Errors,
Warnings".
S Y AV.1.2.4.3 Logging Event Logging - Enable Configures logging to the Windows Event Log. If selected, must be configured to capture
logging to Windows at least "Errors" and "Warnings".
Event Viewer (Attachmate RSIT Windows Server Only - OS:
Windows)
S Y AV.1.2.4.4 Logging Debug Logging - Enable Configures logging to a log file. If selected, must be configured to capture
debug logging to log file at least "Errors" and "Warnings".
Windows)
B Y AV.1.2.4 Logging Retain Log Files None 90 days
I Y AV.1.3.0 AntiVirus No requirements in this No requirements in this category No requirements in this category
category
B N AV.1.4.1 System Settings KeepAlive Configures the server to send TCP keepalive yes
messages to the client and cleanup crashed
sessions to prevent indefinitely hanging sessions.
(OpenSSH 3.7 and prior/SunSSH/Attachmate RSIT

UNIX Server - OS: Unix, Linux)
B N AV.1.4.2 System Settings TCPKeepAlive Configures the server to send TCP keepalive yes
(OpenSSH 3.8 and greater - OS: Unix, Linux)

B N AV.1.4.3 System Settings LoginGraceTime The number of seconds before the server 120 or less and must not be 0
disconnect a session that has not been successfully
authenticated.
B N AV.1.4.4 System Settings MaxConnections The maximum number of simultaneous sessions 100 or less, unless there is a valid need
that can be open to the server. for more simultaneous connections
(F-Secure/SSH Communications Only - OS: Unix,

Linux)
B N AV.1.4.5 System Settings MaxStartups The maximum number of simultaneous, 100 or less
unauthenticated sessions that can be open to the
Alternatively, the MaxStartups option can
server. be configured using the "start:rate:full"
syntax. The setting for "full" must not
(OpenSSH/SunSSH/Attachmate RSIT UNIX Server exceed 100.
B N AV.1.4.6 System Settings Keep Alive Configures the server to send TCP keepalive 1
B N AV.1.4.7 System Settings Authentication Timeout The number of seconds before the server 120 or less
disconnect a session that has not been successfully
authenticated.
B N AV.1.4.8 System Settings MaxAuthTries Specifies the maximum number of authentication 5 or less
attempts permitted per connection.
(OpenSSH 3.9 and greater / SunSSH - OS: Unix,

Linux)
B N AV.1.4.9 System Settings Maximum Authentication Specifies the maximum number of authentication 5 or less
Retries attempts permitted per connection.
B N AV.1.4.10 System Settings Session - Keep-alive / The number of seconds of inactivity before the 60 or less, and must not be 0
broken session detection server will send a keep-alive request to the client.
(Bitvise WinSSHD Only - OS: Windows)
B N AV.1.4.11 System Settings Session - Login timeout The number of seconds before the server 120 or less, and must not be 0
disconnects a session that has not been
successfully authenticated.
B N AV.1.4.12 System Settings Session - Maximum login Specifies the maximum number of authentication 5 or less
attempts attempts permitted per connection.
B N AV.1.4.13 System Settings Session - Maximum total The maximum number of simultaneous sessions 100 or less
sessions that can be open to the server.
B N AV.1.4.14 System Settings AuthKbdInt.Retries Specifies the maximum number of authentication 5 or less
attempts permitted per connection.
(Attachmate RSIT UNIX Server Only - OS: Unix)
B N AV.1.4.15 System Settings Network - Client keep The number of seconds the server waits between 60 or less, and must not be 0
alive sending keepalive messages to the client.

Windows)
B N AV.1.4.16 System Settings Authentication - Grace The number of seconds before the server 120 or less, and must not be 0
time for completion of disconnects a session that has not been
authentication process successfully authenticated.

Windows)
B N AV.1.4.17 System Settings Authentication - Specifies the maximum number of password 5 or less
Password - Number of authentication attempts permitted per connection.
password attempts
Windows)
B N AV.1.4.18 System Settings General - Maximum The maximum number of simultaneous sessions 100 or less
number of connections that can be open to the server.

Windows)
B N AV.1.5.1 Network Settings KeyRegenerationInterval The number of seconds that elapse between 3600 or less, and must not be 0
regenerations of the server's ephemeral key.
(OpenSSH/SunSSH Only - OS: Unix, Linux)
B N AV.1.5.2 Network Settings Protocol The SSH protocol(s) that are accepted by the "2", “2,1” or "1,2"
server.
SSH Protocol 1 is known to contain inherent

weaknesses. Therefore, Protocol 2 must be
enabled. Protocol 1 is permissible only in situations
where interoperability issues prevent the use of
Protocol 2.
B N AV.1.5.3 Network Settings SSH1ServerKeyTime The number of seconds that elapse between 3600 or less, and must not be 0
regenerations of the server's ephemeral key.
(RemotelyAnywhere Only - OS: Windows)
B N AV.1.5.4 Network Settings SSH2 Configures the server to accept the SSH2 protocol. 1
Protocol 1 is known to contain inherent
weaknesses. Therefore, Protocol 2 must be
enabled. Protocol 1 is permissible only in situations
where interoperability issues prevent the use of
Protocol 2.
B N AV.1.5.5 Network Settings GatewayPorts Specifies whether remote

(RemotelyAnywhere Only hosts
- OS: are allowed to
Windows) no
connect to ports forwarded for the client. Can be
used to bypass firewall controls.
(OpenSSH/SunSSH/Attachmate RSIT UNIX Server

B N AV.1.5.6 Network Settings Access control - Configures access controls for users and groups. The "Permit S2C port forwarding"
Windows groups parameter must not be enabled for any
Access control - (Bitvise WinSSHD Only - OS: Windows) users/groups.
Windows accounts
Access control - Virtual
groups
B N AV.1.5.7 Network Settings Permissions
accounts - Allow Specifies whether remote hosts are allowed to Must not be enabled.
server to client (remote) connect to ports forwarded for the client. Can be
port forwarding used to bypass firewall controls.

Windows)
S N AV.1.7.1.1 Identify and Authenticate Users PermitRootLogin Permits the root user to login remotely. May be set to "forced-commands-only"
or "without-password" only if
(OpenSSH/F-Secure/SSH mechanisms are in place to determine
Communications/SunSSH/Attachmate RSIT UNIX the identity of the individual accessing
Server Only - OS: Unix, Linux) the system.
Otherwise, must be set to "no".
B N AV.1.7.1.2 Identify and Authenticate Users PermitRootLogin forced- Permits the root user to login remotely. If public-key authentication is used to
commands access the root account, separate private
PermitRootLogin (OpenSSH/F-Secure/SSH keys must be used for each individual
without-password Communications/SunSSH/Attachmate RSIT UNIX and logs must be maintained showing
PermitRootLogin yes Server Only - OS: Unix, Linux) which individuals have accessed the root
account.
P N AV.1.7.2 Identify and Authenticate Users Public Key Public key authentication allows a user to Keys used for authentication must meet
Authentication authenticate to a system without the use of a the required bit length value for public
password. key algorithms specified in the base
policy
The key pairs do not need to be updated

P N AV.1.7.3.1 Identify and Authenticate Users Host-Based Host-based authentication allows access based on periodically.
All hosts from which the
However, system
if the is tokey
private beis
Authentication a list of trusted hosts in combination with successful accessed
suspectedusing host-based
to have been compromised,
client-key authentication. authentication
the public and must bekeys
private subject
musttobe
the
requirements
regenerated. of this document.
B N AV.1.7.3.2 Identify and Authenticate Users Host-Based Host-based authentication allows access based on Must not be used to enable host-based
Authentication a list of trusted hosts in combination with successful authentication.
/etc/hosts.equiv file client-key authentication.
B N AV.1.7.3.3 Identify and Authenticate Users Host-Based Host-based authentication allows access based on Must be used if host-based
Authentication a list of trusted hosts in combination with successful authentication is enabled. This prevents
/etc/shosts.equiv file client-key authentication. unintentionally permitting access via the
rsh/rlogin/rcp commands.
P N AV.1.7.4 Identify and Authenticate Users PubkeyAuthentication Permits users to login using public/private key pairs. If set to "yes", the requirements in the
"Public Key Authentication" section must
(OpenSSH/SunSSH Only - OS: Unix, Linux) be applied.
P N AV.1.7.5 Identify and Authenticate Users RSAAuthentication Specifies whether pure RSA authentication is If set to "yes", the requirements in the
allowed. "Public Key Authentication" section must
be applied.
P N AV.1.7.6 Identify and Authenticate Users HostbasedAuthentication Specifies whether host-based authentication is If set to "yes", the requirements in the
allowed. "Host-Based Authentication" section must
be applied.
P N AV.1.7.7 Identify and Authenticate Users AllowedAuthentications Specifies the authentication mechanisms that are
If the setting contains "publickey", the
allowed. requirements in the "Public Key
Authentication" section must be applied.
(F-Secure/SSH Communications/Attachmate RSIT
UNIX Server Only - OS: Unix, Linux) If the setting contains "hostbased", the
requirements in the "Host-Based
P N AV.1.7.8 Identify and Authenticate Users Authentications Allowed Specifies the authentication mechanisms that are If the setting contains "publickey", the
allowed. requirements in the "Public Key
P N AV.1.7.9 Identify and Authenticate Users AuthPubkey Permits users to login using public/private key pairs. If set to 1, the requirements in the "Public
Key Authentication" section must be
(RemotelyAnywhere Only - OS: Windows) applied.
P N AV.1.7.10 Identify and Authenticate Users Access control - Configures access controls for users and groups. If any Windows or Virtual users/groups
Windows groups have "Public key authentication" set to
Access control - (Bitvise WinSSHD Only - OS: Windows) "allowed", the requirements in the "Public
Windows accounts Key Authentication" section must be
Access control - Virtual applied.
groups
P N AV.1.7.11 Identify and Authenticate Users Authentication
accounts - Public Permits users to login using public/private key pairs. If the setting is "Allowed" or "Required",
Key - Public key the requirements in the "Public Key
authentication (Attachmate RSIT Windows Server Only - OS: Authentication" section must be applied.
Windows)
P N AV.1.8.0.1 Protecting Resources – OSRs Note none Source code must be validated against
trusted MD5 or PGP signatures to ensure
that the code has not been compromised
and to eliminate the threat of compile-
time trojan horse attacks.
Alternatively, pre-compiled distributions
may be used if they originate from a
I N AV.1.8.1.1 Protecting Resources – OSRs Note /opt/freeware/ The filessource.
trusted in the "Executable and
Libraries" section below typically reside in
one of these directories.
I N AV.1.8.1.2 Protecting Resources – OSRs Note /usr/ The files in the "Executable and
I N AV.1.8.1.3 Protecting Resources – OSRs Note /usr/local/ The files in the "Executable and
I N AV.1.8.1.4 Protecting Resources – OSRs Note /usr/openssh/ The files in the "Executable and
I N AV.1.8.1.5 Protecting Resources – OSRs Note /usr/ssh/ The files in the "Executable and
I N AV.1.8.2.0 Protecting Resources – OSRs Note All SSH server configuration files, executables and The Following is a minimum set of SSH
libraries must be treated as OSR objects. server files that must be treated as
OSRs:
S N AV.1.8.2.1 Protecting Resources – OSRs bin/openssl OSR Executable and Libraries If the file exists, it must be treated as an
(OS: Unix/Linux) OSR. Must be owned by a system user
and group. Permissions for other must
be r-x or more restrictive.
S N AV.1.8.2.2 Protecting Resources – OSRs bin/scp OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.3 Protecting Resources – OSRs bin/scp2 OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.4 Protecting Resources – OSRs bin/sftp OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.5 Protecting Resources – OSRs bin/sftp2 OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.6 Protecting Resources – OSRs bin/sftp-server OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.7 Protecting Resources – OSRs bin/sftp-server2 OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.8 Protecting Resources – OSRs bin/slogin OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.9 Protecting Resources – OSRs bin/ssh OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.10 Protecting Resources – OSRs bin/ssh2 OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.11 Protecting Resources – OSRs bin/ssh-add OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.12 Protecting Resources – OSRs bin/ssh-add2 OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.13 Protecting Resources – OSRs bin/ssh-agent OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.14 Protecting Resources – OSRs bin/ssh-agent2 OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.15 Protecting Resources – OSRs bin/ssh-askpass OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.16 Protecting Resources – OSRs bin/ssh-askpass2 OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.17 Protecting Resources – OSRs bin/ssh-certenroll2 OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.18 Protecting Resources – OSRs bin/ssh-chrootmgr OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.19 Protecting Resources – OSRs bin/ssh-dummy-shell OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.20 Protecting Resources – OSRs bin/ssh-keygen OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.21 Protecting Resources – OSRs bin/ssh-keygen2 OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.22 Protecting Resources – OSRs bin/ssh-keyscan OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.23 Protecting Resources – OSRs bin/ssh-pam-client OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.24 Protecting Resources – OSRs bin/ssh-probe OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.25 Protecting Resources – OSRs bin/ssh-probe2 OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.26 Protecting Resources – OSRs bin/ssh-pubkeymgr OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.27 Protecting Resources – OSRs bin/ssh-signer OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.28 Protecting Resources – OSRs bin/ssh-signer2 OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.29 Protecting Resources – OSRs lib/libcrypto.a OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.30 Protecting Resources – OSRs lib/libssh.a OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.31 Protecting Resources – OSRs lib/libssl.a OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.32 Protecting Resources – OSRs lib/libz.a OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.33 Protecting Resources – OSRs lib-exec/openssh/sftp- OSR Executable and Libraries If the file exists, it must be treated as an
server (OS: Unix/Linux) OSR. Must be owned by a system user
S N AV.1.8.2.34 Protecting Resources – OSRs lib-exec/openssh/ssh- OSR Executable and Libraries If the file exists, it must be treated as an
keysign (OS: Unix/Linux) OSR. Must be owned by a system user
S N AV.1.8.2.35 Protecting Resources – OSRs lib-exec/openssh/ssh- OSR Executable and Libraries If the file exists, it must be treated as an
askpass (OS: Unix/Linux) OSR. Must be owned by a system user
S N AV.1.8.2.36 Protecting Resources – OSRs lib-exec/sftp-server OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.37 Protecting Resources – OSRs lib-exec/ssh-keysign OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.38 Protecting Resources – OSRs lib-exec/ssh-rand-helper OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.39 Protecting Resources – OSRs libexec/openssh/sftp- OSR Executable and Libraries If the file exists, it must be treated as an
server (OS: Unix/Linux) OSR. Must be owned by a system user
S N AV.1.8.2.40 Protecting Resources – OSRs libexec/openssh/ssh- OSR Executable and Libraries If the file exists, it must be treated as an
keysign (OS: Unix/Linux) OSR. Must be owned by a system user
S N AV.1.8.2.41 Protecting Resources – OSRs libexec/openssh/ssh- OSR Executable and Libraries If the file exists, it must be treated as an
askpass (OS: Unix/Linux) OSR. Must be owned by a system user
S N AV.1.8.2.42 Protecting Resources – OSRs libexec/sftp-server OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.43 Protecting Resources – OSRs libexec/ssh-keysign OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.44 Protecting Resources – OSRs libexec/ssh-rand-helper OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.45 Protecting Resources – OSRs sbin/sshd OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.46 Protecting Resources – OSRs sbin/sshd2 OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.47 Protecting Resources – OSRs sbin/sshd-check-conf OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.49 Protecting Resources – OSRs /lib/svc/method/sshd OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.2.50 Protecting Resources – OSRs /usr/lib/ssh/sshd OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.3.1 Protecting Resources – OSRs / OSR Configuration File If the file exists, it must be treated as an
etc/openssh/sshd_config (OS: Unix/Linux) OSR. Must be owned by a system user
S N AV.1.8.3.2 Protecting Resources – OSRs /etc/ssh/sshd_config OSR Configuration File If the file exists, it must be treated as an
S N AV.1.8.3.3 Protecting Resources – OSRs /etc/ssh/sshd2_config OSR Configuration File If the file exists, it must be treated as an
S N AV.1.8.3.4 Protecting Resources – OSRs /etc/ssh2/sshd_config OSR Configuration File If the file exists, it must be treated as an
S N AV.1.8.3.5 Protecting Resources – OSRs /etc/ssh2/sshd2_config OSR Configuration File If the file exists, it must be treated as an
S N AV.1.8.3.6 Protecting Resources – OSRs /etc/sshd_config OSR Configuration File If the file exists, it must be treated as an
S N AV.1.8.3.7 Protecting Resources – OSRs /etc/sshd2_config OSR Configuration File If the file exists, it must be treated as an
usr/local/etc/sshd_config (OS: Unix/Linux) OSR. Must be owned by a system user
usr/local/etc/sshd2_confi (OS: Unix/Linux) OSR. Must be owned by a system user
g and group. Permissions for other must
S N AV.1.8.3.10 Protecting Resources – OSRs /usr/lib/ssh/ssh-keysign OSR Executable and Libraries If the file exists, it must be treated as an
S N AV.1.8.4.1 Protecting Resources – OSRs C:\Program Files\F- OSR If the directory exists, the directory and
Secure\ (OS: Windows) all files and directories contained within it
must be treated as OSRs
The maximum authority permitted to
general users is:
Read & Execute
List Folder Contents
S N AV.1.8.4.2 Protecting Resources – OSRs C:\Program OSR If the directory exists, the directory and
Read
Files\OpenSSH\ (OS: Windows) all files and directories contained within it
general users is:
Read & Execute
S N AV.1.8.4.3 Protecting Resources – OSRs C:\Program Files\SSH OSR If the directory exists, the directory and
Read
Communications (OS: Windows) all files and directories contained within it
Security\ must be treated as OSRs
general users is:
Read & Execute
S N AV.1.8.4.4 Protecting Resources – OSRs C:\Program Files\VShell\ OSR If the directory exists, the directory and
Read
(OS: Windows) all files and directories contained within it
general users is:
Read & Execute
S N AV.1.8.4.5 Protecting Resources – OSRs C:\Program Files\ OSR If the directory exists, the directory and
Read
RemotelyAnywhere\ (OS: Windows) all files and directories contained within it
general users is:
Read & Execute
S N AV.1.8.4.6 Protecting Resources – OSRs C:\Program Files\Bitvise OSR If the directory exists, the directory and
Read
WinSSHD\ (OS: Windows) all files and directories contained within it
general users is:
Read & Execute
S N AV.1.8.4.7 Protecting Resources – OSRs C:\Program OSR If the directory exists, the directory and
Read
Files\Attachmate\RSecur (OS: Windows) all files and directories contained within it
e\ must be treated as OSRs
general users is:
Read & Execute
S N AV.1.8.5.1 Protecting Resources – OSRs C:\Cygwin\bin\scp.exe OSR If
Read file exists, it must be treated as an
the
(OS: Windows) OSR
general users is:
Read & Execute
Read
S N AV.1.8.5.2 Protecting Resources – OSRs C:\Cygwin\bin\ssh.exe OSR If the file exists, it must be treated as an
(OS: Windows) OSR
general users is:
Read & Execute
Read
S N AV.1.8.5.3 Protecting Resources – OSRs C:\Cygwin\bin\ssh- OSR If the file exists, it must be treated as an
add.exe (OS: Windows) OSR
general users is:
Read & Execute
Read
agent.exe (OS: Windows) OSR
general users is:
Read & Execute
Read
S N AV.1.8.5.5 Protecting Resources – OSRs C:\Cygwin\bin\ssh-host- OSR If the file exists, it must be treated as an
config (OS: Windows) OSR
general users is:
Read & Execute
Read
keygen.exe (OS: Windows) OSR
general users is:
Read & Execute
Read
keyscan.exe (OS: Windows) OSR
general users is:
Read & Execute
Read
S N AV.1.8.5.8 Protecting Resources – OSRs C:\Cygwin\bin\ssh-user- OSR If the file exists, it must be treated as an
config (OS: Windows) OSR
general users is:
Read & Execute
Read
S N AV.1.8.5.10 Protecting Resources – OSRs C:\Cygwin\etc\defaults\et OSR If the file exists, it must be treated as an
c\sshd_config (OS: Windows) OSR
general users is:
Read & Execute
Read
S N AV.1.8.5.11 Protecting Resources – OSRs C:\Cygwin\etc\sshd_conf OSR If the file exists, it must be treated as an
ig (OS: Windows) OSR
general users is:
Read & Execute
Read
S N AV.1.8.5.12 Protecting Resources – OSRs C:\Cygwin\usr\sbin\ssh- OSR If the file exists, it must be treated as an
keysign.exe (OS: Windows) OSR
general users is:
Read & Execute
Read
S N AV.1.8.5.13 Protecting Resources – OSRs C:\Cygwin\usr\sbin\sshd. OSR If the file exists, it must be treated as an
exe (OS: Windows) OSR
general users is:
Read & Execute
Read
S N AV.1.8.5.14 Protecting Resources – OSRs C:\Cygwin\usr\sbin\sftp- OSR If the file exists, it must be treated as an
server.exe (OS: Windows) OSR
general users is:
Read & Execute
Read
B N AV.1.9.1 Protecting Resources - User Resources PermitUserEnvironment Permits processing of user environment files, which no
may allow users to bypass access restrictions.
(OpenSSH 3.5/SunSSH 1.2 and greater - OS: Unix,

Linux)
B N AV.1.9.2 Protecting Resources - User Resources StrictModes Configures SSH to verify ownership and yes
permissions of user files and home directories
before allowing logins.
B N AV.1.9.3 Protecting Resources - User Resources AcceptEnv Permits passing of user environment variables from Must not contain variables matching any
the client to the server, which may allow users to of the following patterns: TERM, PATH,
bypass access restrictions. HOME, MAIL, SHELL, LOGNAME,
USER, USERNAME, _RLD*, DYLD_*,
(OpenSSH 3.9 and greater - OS: Unix, Linux) LD_*, LDR_*, LIBPATH, SHLIB_PATH
B N AV.2.0.1.1 Business Use Notice Business Use Notice None The PrintMotd option must be set to
“yes”.
B N AV.2.0.1.2 Business Use Notice Business use Notice - None the "MOTD Path" setting must be set to
VanDyke Vshell the path of a file that contains the
required business use notice.
B N AV.2.0.1.3 Business Use Notice Business use Notice - None The "Session - Banner message file"
Bitvise WinSSHD setting must be set to the path of a file
that contains the required business use
notice.
B N AV.2.0.1.4 Business Use Notice Business use Notice - None The "General - Banner message file"
Attachmate RSIT setting must be set to the path of a file
Windows Server that contains the required business use
notice.
B N AV.2.1.1.1 Encryption Data Transmission None SSL / OpenSSL: If SSH protocol version
1 is enabled, the required bit length value
for public key ciphers specified in the
policy must be specified in the
ServerKeyBits option.
B N AV.2.1.1.2 Encryption Data Transmission - All None Must meet the minimum bit length value
native encryption ciphers specified in the base policy
B N AV.2.1.1.3 Encryption Data Transmission - None The DES algorithm uses 56-bit keys and
DES algorithm is relatively easy to compromise.
Therefore it must not be used.
B N AV.2.1.1.4 Encryption Data Transmission - None Must meet the minimum bit length value
Server host keys for public key ciphers specified in the
base policy
B N AV.2.1.1.5 Encryption Algorithms - Encryption Configures the encryption algorithms that are used. The "Algorithms - Encryption" settings
must not have "none" selected.
B N AV.2.1.1.6 Encryption Encryption - Ciphers Configures the encryption algorithms that are used. The "Encryption - Ciphers" setting must
not be set to "None"
(Attachmate RSIT Windows Server - OS: Windows)
B N AV.2.1.1.7 Encryption Authentication - Public Configures the minimum length for public keys. The "Authentication - Public Key - Public
Key - Public key key minimum length" setting must be
minimum length (Attachmate RSIT Windows Server - OS: Windows) 1024 or greater.
I N AV.2.1.2 Encryption File/Database Storage No requirements in this category No requirements in this category
B N AV.2.2.1.1 Passphrases Private Key Passphrases passphrase A passphrase must be assigned to all
private keys that are used for user
authentication and must not be shared.
B N AV.2.2.1.2 Passphrases Private Key Passphrases passphrase Passphrases must have a minimum
number of 5 words each of minimum
length of 4 characters and are exempt
from the syntax rule for mix alphabetic
and non-alphabetic characters. All other
password rules are applicable.
B N AV.2.2.1.3 Passphrases Private Key passphrase A null passphrase may be used as long
Passphrases - system- as the authorized_keys file limits access
to-system authentication only from specific hosts by specifying the
"from" option with the appropriate value.
In order to prevent the keys from being
used for interactive user logins, the
private key file on the originating hosts
B N AV.2.2.1.4 Passphrases Private Key passphrase Private
must bekeys used
owned by to gain access
application andto IDs
Passphrases - security having
system security administrative
users/groups, which doornot
system
have
administrative and authority must be accessible onlylogin
remote, password-authenticated by
system authority users that and
capability, havemay
security
only administrative
be readable andor
system authority. Any
writable by the file owner.authorized_keys
or authorized_keys2 file that grants
access to an ID having security
I N AV.3.0.0 Process Exceptions No requirements in this No requirements in this category No requirements
administrative in this category
or system authority must
category limit access only from specific hosts by
specifying the "from" option with the
appropriate value.
I Y AV.5.0.0 Privileged Authorizations/Userids Note Description of privileged Ids : The rows in section 5 No value to be set
below describe the list of UserIDs or groups that
have Privileged authority.
B Y AV.5.0.1 Privileged Authorizations/Userids The user ID used for None Must not be a member of any group that
privilege separation grants system or security administrative
(typically called "sshd" authority, as defined by the applicable
on Unix systems) OS Technical Specification.
May be a member of the "sshd" group,

regardless of the associated GID, as this
I Y AV.5.0.2 Privileged Authorizations/Userids Note No value to be set SSH
groupuses
is notthe authentication
considered facilities
to grant system of
the operating
or security system on which
administrative it runs
authority.

SSH Techspec

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

SSH Techspec

Transféré par

Droits d'auteur :

Formats disponibles

© Copyright IBM Corporation, 1997, 2014 - All Rights Reserved

Tech Spec Review

Special Considerations for this Tech Sp

Document Template version :

Ensure the product versions reflect those supported by the client.

Tech Spec Review

Date Reviewed (mm/dd/yy)

Special Considerations for this Tech Spec

Version 1.0 25 July 2018

supported by the client.

Exception to requirement (tech spec reference)

Customer Requirement Potential Threat

(VanDyke VShell Only - OS: Windows)

(F-Secure/SSH Communications Only - OS: Unix,

(VanDyke VShell Only - OS: Windows)

(VanDyke VShell Only - OS: Windows)

(VanDyke VShell Only - OS: Windows)

(VanDyke VShell Only - OS: Windows)

(VanDyke VShell Only - OS: Windows)

(VanDyke VShell Only - OS: Windows)

B Y AV.1.2.4 Logging Retain Log Files None 90 days

(OpenSSH 3.7 and prior/SunSSH/Attachmate RSIT

(OpenSSH 3.8 and greater - OS: Unix, Linux)

(F-Secure/SSH Communications Only - OS: Unix,

(VanDyke VShell Only - OS: Windows)

(VanDyke VShell Only - OS: Windows)

(OpenSSH 3.9 and greater / SunSSH - OS: Unix,

(VanDyke VShell Only - OS: Windows)

(Bitvise WinSSHD Only - OS: Windows)

(Bitvise WinSSHD Only - OS: Windows)

(Bitvise WinSSHD Only - OS: Windows)

(Bitvise WinSSHD Only - OS: Windows)

(Attachmate RSIT UNIX Server Only - OS: Unix)

(Attachmate RSIT Windows Server Only - OS:

(Attachmate RSIT Windows Server Only - OS:

(Attachmate RSIT Windows Server Only - OS:

(OpenSSH/SunSSH Only - OS: Unix, Linux)

SSH Protocol 1 is known to contain inherent

(OpenSSH/SunSSH Only - OS: Unix, Linux)

(RemotelyAnywhere Only - OS: Windows)

B N AV.1.5.5 Network Settings GatewayPorts Specifies whether remote

(OpenSSH/SunSSH/Attachmate RSIT UNIX Server

(Attachmate RSIT Windows Server Only - OS:

The key pairs do not need to be updated

(OpenSSH 3.5/SunSSH 1.2 and greater - OS: Unix,

May be a member of the "sshd" group,

Vous aimerez peut-être aussi