The ESXi host Secure Shell (SSH) daemon must not allow compression or must only allow compression after successful authentication.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-256390 | SRG-OS-000480-VMM-002000 | ESXI-70-000021 | SV-256390r959010_rule | 2025-02-11 | 1 |
Description
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.
ℹ️ Check
From an ESXi shell, run the following command:
# /usr/lib/vmware/openssh/bin/sshd -T|grep compression
Expected result:
compression no
If the output does not match the expected result, this is a finding.
✔️ Fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config":
Compression no