RHEL 10 must enforce mode "0600" or less permissive for Secure Shell (SSH) private host key files.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-281085 | SRG-OS-000080-GPOS-00048 | RHEL-10-400340 | SV-281085r1195409_rule | 2026-03-11 | 1 |
Description
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
ℹ️ Check
Verify RHEL 10 enforces mode "0600" for SSH private host key files with the following command:
$ sudo stat -c "%a %n" /etc/ssh/*_key
600 /etc/ssh/ssh_host_ecdsa_key
600 /etc/ssh/ssh_host_ed25519_key
600 /etc/ssh/ssh_host_rsa_key
If any private host key file has a mode more permissive than "0600", this is a finding.
✔️ Fix
Configure RHEL 10 to enforce mode "0600" for SSH private host key files with the following command:
$ sudo chmod 0600 /etc/ssh/ssh_host*key
Restart the SSH daemon for the changes to take effect:
$ sudo systemctl restart sshd.service