The TOSS 5 SSH daemon must perform strict mode checking of home directory configuration files.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282713TOSS-05-000259SV-282713r1201377_ruleCCI-000366medium
Description
If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282713r1201377_chk)

Verify the SSH daemon performs strict mode checking of home directory configuration files using the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*strictmodes' StrictModes yes If the "StrictModes" keyword is set to "no", the returned line is commented out, or no output is returned, this is a finding.

Fix Text (F-87179r1201376_fix)

Configure the SSH daemon to perform strict mode checking of home directory configuration files. Add the following line in "/etc/ssh/sshd_config" or uncomment the line and set the value to "yes": StrictModes yes Restart the SSH service for changes to take effect: $ sudo systemctl restart sshd.service