mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-03-04 17:23:16 +00:00
69 lines
1.6 KiB
YAML
69 lines
1.6 KiB
YAML
id: auth_ssh_password_authentication_disable
|
|
title: "Disable Password Authentication for SSH"
|
|
discussion: |
|
|
If remote login through SSH is enabled, password based authentication _MUST_ be disabled for user login.
|
|
|
|
All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
|
|
|
|
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
|
|
check: |
|
|
/usr/bin/grep -Ec '^(PasswordAuthentication\s+no|ChallengeResponseAuthentication\s+no)' /etc/ssh/sshd_config
|
|
result:
|
|
integer: 2
|
|
fix: |
|
|
[source,bash]
|
|
----
|
|
/usr/bin/sed -i.bak_$(date "+%Y-%m-%d_%H:%M") "s|#PasswordAuthentication yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication yes|ChallengeResponseAuthentication no|" /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
|
|
----
|
|
references:
|
|
cce:
|
|
- CCE-90884-8
|
|
cci:
|
|
- N/A
|
|
800-53r5:
|
|
- IA-2(1)
|
|
- IA-2(2)
|
|
- IA-2(6)
|
|
- IA-2
|
|
- IA-5(2)
|
|
- MA-4
|
|
- IA-2(8)
|
|
800-53r4:
|
|
- IA-2
|
|
- IA-2(1)
|
|
- IA-2(2)
|
|
- IA-2(3)
|
|
- IA-2(4)
|
|
- IA-2(6)
|
|
- IA-2(11)
|
|
- IA-5(2)
|
|
- IA-5(11)
|
|
- MA-4
|
|
srg:
|
|
- N/A
|
|
disa_stig:
|
|
- N/A
|
|
800-171r2:
|
|
- 3.5.1
|
|
- 3.5.2
|
|
- 3.5.3
|
|
- 3.7.5
|
|
cisv8:
|
|
- 6.3
|
|
- 6.4
|
|
- 6.5
|
|
macOS:
|
|
- "12.0"
|
|
tags:
|
|
- 800-53r5_low
|
|
- 800-53r5_moderate
|
|
- 800-53r5_high
|
|
- 800-53r4_low
|
|
- 800-53r4_moderate
|
|
- 800-53r4_high
|
|
- 800-171
|
|
- cnssi-1253
|
|
- cisv8
|
|
mobileconfig: false
|
|
mobileconfig_info:
|