Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-239284 | ESXI-67-000029 | SV-239284r674781_rule | Medium |
Description |
---|
ESXi hosts come with SSH, which can be enabled to allow remote access without requiring user authentication. To enable password-free access, copy the remote user's public key into the "/etc/ssh/keys-root/authorized_keys" file on the ESXi host. The presence of the remote user's public key in the "authorized_keys" file identifies the user as trusted, meaning the user is granted access to the host without providing a password. If using Lockdown Mode and SSH is disabled, then logon with authorized keys will have the same restrictions as username/password. |
STIG | Date |
---|---|
VMware vSphere 6.7 ESXi Security Technical Implementation Guide | 2021-03-17 |
Check Text ( C-42517r674779_chk ) |
---|
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # ls -la /etc/ssh/keys-root/authorized_keys or # cat /etc/ssh/keys-root/authorized_keys If the "authorized_keys" file exists and is not empty, this is a finding. |
Fix Text (F-42476r674780_fix) |
---|
From an SSH session connected to the ESXi host, or from the ESXi shell, zero out or remove the /etc/ssh/keys-root/authorized_keys file: # >/etc/ssh/keys-root/authorized_keys or # rm /etc/ssh/keys-root/authorized_keys |