{"description": "Enable SSH login with public keys.\n
\nThe default SSH configuration enables authentication based on public keys. The appropriate\nconfiguration is used if no value is set for PubkeyAuthentication.\n
\nTo explicitly enable Public Key Authentication, add or correct the following\n\n\n/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:\n\n
PubkeyAuthentication yes
", "rationale": "Without the use of multifactor authentication, the ease of access to\nprivileged functions is greatly increased. Multifactor authentication\nrequires using two or more factors to achieve authentication.\nA privileged account is defined as an information system account with\nauthorizations of a privileged user. \nSmart cards or hardware tokens paired with digital certificates are\ncommon examples of multifactor implementations.", "severity": "medium", "references": {"srg": ["SRG-OS-000105-GPOS-00052", "SRG-OS-000106-GPOS-00053", "SRG-OS-000107-GPOS-00054", "SRG-OS-000108-GPOS-00055"], "stigid": ["UBTU-22-612020"], "stigref": ["SV-260575r1044770_rule"]}, "control_references": {"stigid": ["UBTU-22-612020"]}, "components": [], "identifiers": {}, "ocil_clause": "the required value is not set", "ocil": "To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command:\n\n
$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
\n\n\nIf a line indicating yes is returned, then the required value is set.\n", "oval_external_content": null, "fixtext": "To configure the system add or modify the following line in \"/etc/ssh/sshd_config\".\n\nPubkeyAuthentication yes\n\nRestart the SSH daemon for the settings to take effect:\n\n$ sudo systemctl restart sshd.service", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 SSHD must accept public key authentication.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 SSHD must accept public key authentication.", "vuldiscussion": "Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. A DOD common access card (CAC) with DOD-approved PKI is an example of multifactor authentication.", "checktext": "Note: If the system administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is Not Applicable.\n\nVerify that Ubuntu 22.04 SSH daemon accepts public key encryption with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*pubkeyauthentication'\n\nPubkeyAuthentication yes\n\nIf \"PubkeyAuthentication\" is set to no, the line is commented out, or the line is missing, this is a finding.", "fixtext": "To configure the system, add or modify the following line in \"/etc/ssh/sshd_config\" or in a file in \"/etc/ssh/sshd_config.d\".\n\nPubkeyAuthentication yes\n\nRestart the SSH daemon for the settings to take effect:\n\n$ sudo systemctl restart sshd.service"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable Public Key Authentication", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "PubkeyAuthentication", "value": "yes", "datatype": "string"}, "backends": {}}}