Do Not Allow SSH Environment Options
Description
Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate
configuration is used if no value is set for PermitUserEnvironment
.
To explicitly disable Environment options, add or correct the following
/etc/ssh/sshd_config
:
Rationale
SSH environment options potentially allow users to bypass
access restriction in some configurations.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ -e "/etc/ssh/sshd\_config" ] ; then
LC\_ALL=C sed -i "/^\s\*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd\_config"
else
touch "/etc/ssh/sshd\_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd\_config"
cp "/etc/ssh/sshd\_config" "/etc/ssh/sshd\_config.bak"
# Insert before the line matching the regex '^Match'.
line\_number="$(LC\_ALL=C grep -n "^Match" "/etc/ssh/sshd\_config.bak" | LC\_ALL=C sed 's/:.\*//g')"
if [ -z "$line\_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd\_config"
else
head -n "$(( line\_number - 1 ))" "/etc/ssh/sshd\_config.bak" > "/etc/ssh/sshd\_config"
printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd\_config"
tail -n "+$(( line\_number ))" "/etc/ssh/sshd\_config.bak" >> "/etc/ssh/sshd\_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd\_config.bak"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Do Not Allow SSH Environment Options
block:
- name: Check for duplicate values
lineinfile:
path: /etc/ssh/sshd\_config
create: false
regexp: (?i)^\s\*PermitUserEnvironment\s+
state: absent
check\_mode: true
changed\_when: false
register: dupes
- name: Deduplicate values from /etc/ssh/sshd\_config
lineinfile:
path: /etc/ssh/sshd\_config
create: false
regexp: (?i)^\s\*PermitUserEnvironment\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/ssh/sshd\_config
lineinfile:
path: /etc/ssh/sshd\_config
create: true
regexp: (?i)^\s\*PermitUserEnvironment\s+
line: PermitUserEnvironment no
state: present
insertbefore: ^[#\s]\*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CJIS-5.5.6
- DISA-STIG-UBTU-20-010047
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2.6
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- sshd\_do\_not\_permit\_user\_env