{"description": "To set up SSH server to use entropy from a high-quality source, edit the <tt>/etc/sysconfig/sshd</tt> file.\nThe <tt>SSH_USE_STRONG_RNG</tt> configuration value determines how many bytes of entropy to use, so\nmake sure that the file contains line\n<pre>SSH_USE_STRONG_RNG=32</pre>", "rationale": "SSH implementation in Ubuntu 22.04 uses the openssl library, which doesn't use\nhigh-entropy sources by default. Randomness is needed to generate data-encryption keys, and as\nplaintext padding and initialization vectors in encryption algorithms, and high-quality\nentropy eliminates the possibility that the output of the random number generator used by SSH\nwould be known to potential attackers.", "severity": "low", "references": {"srg": ["SRG-OS-000480-GPOS-00232", "SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd", "ocil": "To determine whether the SSH service is configured to use strong entropy seed,\nrun <pre>$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd</pre>\nIf a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned,\nthen the option is set correctly.", "oval_external_content": null, "fixtext": "Configure the Ubuntu 22.04 SSH server to use strong entropy.\n\nAdd or modify the following line in the \"/etc/sysconfig/sshd\" file.\n\nSSH_USE_STRONG_RNG=32\n\nThe SSH service must be restarted for changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "The Ubuntu 22.04 must ensure the SSH server uses strong entropy.", "warnings": [{"general": "This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must ensure the SSH server uses strong entropy.", "vuldiscussion": "SSH implementation in Ubuntu 22.04 uses the openssl library, which doesn't use high-entropy sources by default.\nRandomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors\nin encryption algorithms, and high-quality entropy eliminates the possibility that the output of\nthe random number generator used by SSH would be known to potential attackers.", "checktext": "Verify the SSH server uses strong entropy with the following command:\n\n$ sudo grep -i ssh_use_strong_rng /etc/sysconfig/sshd\n\nSSH_USE_STRONG_RNG=32\n\nIf the \"SSH_USE_STRONG_RNG\" line does not equal \"32\", is commented out or missing, this is a finding.", "fixtext": "Configure the operating system SSH server to use strong entropy.\n\nAdd or modify the following line in the \"/etc/sysconfig/sshd\" file.\n\nSSH_USE_STRONG_RNG=32\n\nThe SSH service must be restarted for changes to take effect:\n\n$ sudo systemctl restart sshd.service"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "SSH server uses strong entropy to seed", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml", "template": {"name": "shell_lineinfile", "vars": {"path": "/etc/sysconfig/sshd", "parameter": "SSH_USE_STRONG_RNG", "value": "32", "datatype": "int", "no_quotes": "true"}, "backends": {}}}