The SSH daemon must perform strict mode checking of home directory configuration files.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269299 | ALMA-09-024770 | SV-269299r1050181_rule | CCI-000366 | medium |
| Description | ||||
| If other users have access to modify user-specific SSH configuration files or read keys, they may be able to log into the system as another user. | ||||
| STIG | Date | |||
| CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide | 2025-05-22 | |||
Details
Check Text (C-269299r1050181_chk)
Verify the SSH daemon performs strict mode checking of home directory configuration files with the following command:
$ sshd -T | grep strictmodes
strictmodes yes
If the "StrictModes" keyword is set to "no", or no output is returned, this is a finding.
Fix Text (F-73231r1048274_fix)
To configure the SSH daemon to perform strict mode checking of home directory configuration files, add or modify the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
StrictModes yes
Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:
$ echo "StrictModes yes" > /etc/ssh/sshd_config.d/strictmodes.conf
Restart the SSH daemon for the settings to take effect:
$ systemctl restart sshd.service