The Photon operating system must be configured to protect the Secure Shell ( SSH) private host key from unauthorized access.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-256578	SRG-OS-000480-GPOS-00227	PHTN-30-000109	SV-256578r991589_rule	2024-12-16	1

Description
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

ℹ️ Check
At the command line, run the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/ssh/*key Expected result: /etc/ssh/ssh_host_dsa_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_ecdsa_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_ed25519_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_rsa_key permissions are 600 and owned by root:root If any key file listed is not owned by root or not group owned by root or does not have permissions of "0600", this is a finding.

ℹ️ Check

At the command line, run the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/ssh/*key Expected result: /etc/ssh/ssh_host_dsa_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_ecdsa_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_ed25519_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_rsa_key permissions are 600 and owned by root:root If any key file listed is not owned by root or not group owned by root or does not have permissions of "0600", this is a finding.

✔️ Fix
At the command line, run the following commands for each returned file: # chmod 600 <file> # chown root:root <file>