The ESXi host Secure Shell (SSH) daemon must not permit user environment settings.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258762	ESXI-80-000204	SV-258762r933347_rule	CCI-000366	medium
Description
SSH environment options potentially allow users to bypass access restriction in some configurations. Users must not be able to present environment options to the SSH daemon.
STIG			Date
VMware vSphere 8.0 ESXi Security Technical Implementation Guide			2023-10-11

Related Frameworks

4 paths across 3 frameworks

NIST 800-531 mapping

CM-6

1.00

DISA · V1R1 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1712 mappings

3.4.1

1.00

DISA · V1R1 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.4.2

1.00

DISA · V1R1 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000366

1.00

DISA · V1R1 · disa_xccdf · related

Details

Check Text (C-258762r933347_chk)

From an ESXi shell, run the following command: # esxcli system ssh server config list -k permituserenvironment or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'permituserenvironment'} Example result: permituserenvironment no If "permituserenvironment" is not configured to "no", this is a finding.

Fix Text (F-62411r933346_fix)

From an ESXi shell, run the following command: # esxcli system ssh server config set -k permituserenvironment -v no or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.ssh.server.config.set.CreateArgs() $arguments.keyword = 'permituserenvironment' $arguments.value = 'no' $esxcli.system.ssh.server.config.set.Invoke($arguments)