AlmaLinux OS 9 SSH daemon must not allow compression or must only allow compression after successful authentication.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269260	SRG-OS-000480-GPOS-00227	ALMA-09-020370	SV-269260r1050142_rule	2025-02-20	1

Description
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.

ℹ️ Check
Verify the SSH daemon performs compression after a user successfully authenticates with the following command: $ sshd -T \| grep compression Compression no If the "Compression" keyword is set to "yes", this is a finding.

✔️ Fix
Configure the SSH daemon to not allow compression. Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "delayed" or preferably "no": Compression no Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file: $ echo 'Compression no' > /etc/ssh/sshd_config.d/40-compression.conf Restart the SSH daemon for the settings to take effect: $ systemctl restart sshd.service

✔️ Fix

Configure the SSH daemon to not allow compression. Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "delayed" or preferably "no": Compression no Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file: $ echo 'Compression no' > /etc/ssh/sshd_config.d/40-compression.conf Restart the SSH daemon for the settings to take effect: $ systemctl restart sshd.service