{"description": "Only SSH protocol version 2 connections should be\npermitted. The default setting in\n<tt>/etc/ssh/sshd_config</tt> is correct, and can be\nverified by ensuring that the following\nline appears:\n<pre>Protocol 2</pre>", "rationale": "SSH protocol version 1 is an insecure implementation of the SSH protocol and\nhas many well-known vulnerability exploits. Exploits of the SSH daemon could provide\nimmediate root access to the system.", "severity": "high", "references": {"cis-csc": ["1", "12", "15", "16", "5", "8"], "cjis": ["5.5.6"], "cobit5": ["APO13.01", "DSS01.04", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "cui": ["3.1.13", "3.5.4"], "hipaa": ["164.308(a)(4)(i)", "164.308(b)(1)", "164.308(b)(3)", "164.310(b)", "164.312(e)(1)", "164.312(e)(2)(ii)"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.6", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.18.1.4", "A.6.2.1", "A.6.2.2", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nerc-cip": ["CIP-003-8 R4.2", "CIP-007-3 R5.1", "CIP-007-3 R7.1"], "nist": ["CM-6(a)", "AC-17(a)", "AC-17(2)", "IA-5(1)(c)", "SC-13", "MA-4(6)"], "nist-csf": ["PR.AC-1", "PR.AC-3", "PR.AC-6", "PR.AC-7", "PR.PT-4"], "srg": ["SRG-OS-000074-GPOS-00042", "SRG-OS-000480-GPOS-00227"], "ism": ["1483"]}, "control_references": {"ism": ["1483"]}, "components": [], "identifiers": {}, "ocil_clause": "it is commented out or is not set correctly to Protocol 2", "ocil": "To check which SSH protocol version is allowed, check version of <tt>openssh-server</tt> with following command:\n\n<pre>$ dpkg -s openssh-server | grep Version</pre>\n\nVersions equal to or higher than 7.4 only allow Protocol 2.\nIf version is lower than 7.4, run the following command to check configuration:\n<pre>$ sudo grep Protocol /etc/ssh/sshd_config</pre>\nIf configured properly, output should be <pre>Protocol 2</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "As of <tt>openssh-server</tt> version <tt>7.4</tt> and above, the only protocol\nsupported is version 2, and line <pre>Protocol 2</pre> in\n<tt>/etc/ssh/sshd_config</tt> is not necessary."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[openssh-server]<7.0", "platforms": ["package[openssh-server]<7.0"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_openssh-server_le_7_0"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Allow Only SSH Protocol 2", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "Protocol", "value": "2", "datatype": "int"}, "backends": {}}}