The following sshd_config file located in the /etc/ssh directory has STIG compliance settings as outlined in NIST SP 800-53 R4

The only setting that is not configures it the ‘PermitRootLogin’. I kept that as ‘yes’ to prevent accidental lock out if you have not configured additional SSH users on the system. The correct setting should read PermitRootLogin no

# running from inetd
# Port 2200
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# ######## ADDED FROM ESX 6.0 STIG COMLPLIANCE #################
# Before inserting the following lines, make certain the setting is not alreay defined.
# If Setting is defined, comment out the original line and replace with setting oulined
# here.

# ESXI-06-000010 : V-63189 & V-63501
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

# ESXI-06-000011 : V-63191
Protocol 2

# ESXI-06-000012 : V-63193
IgnoreRhosts yes

# ESXI-06-000013 : V-63195
HostbasedAuthentication no

# ESXI-06-000014 : V-63197 CHANGE TO 'no' AFTER ADDITIONAL LOGINS ARE CREATED TO PREVENT SSH LOCKOUT
PermitRootLogin yes

# ESXI-06-000015 : V-63199
PermitEmptyPasswords no

# ESXI-06-000016 : V-63201
PermitUserEnvironment no

# ESXI-06-000017 : V-63203
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1

# ESXI-06-000018 : V-63205
GSSAPIAuthentication no

# ESXI-06-000019 : V-63207
KerberosAuthentication no

# ESXI-06-000020 : V-63209
StrictModes yes

# ESXI-06-000021 : V-63211
Compression no

# ESXI-06-000022 : V-63213
GatewayPorts no

# ESXI-06-000023 : V-63215
X11Forwarding no

# ESXI-06-000024 : V-63217
AcceptEnv

# ESXI-06-000025 : V-63219
PermitTunnel no

# ESXI-06-000026 : V-63221
ClientAliveCountMax 3

# ESXI-06-000027 : V-63223
# Timeout value of 10 mins. The default value of ClientAliveCountMax is 3.
# Hence, we get a 3 * 200 = 600 seconds timeout if the client has been
# unresponsive.
ClientAliveInterval 200

# ESXI-06-000028 : V-63225
MaxSessions 1
##################################################################

UsePrivilegeSeparation no

SyslogFacility auth

LogLevel info

PrintMotd yes

PrintLastLog no

TCPKeepAlive yes

UsePAM yes
# only use PAM challenge-response (keyboard-interactive)

PasswordAuthentication no

Banner /etc/issue

Subsystem sftp /usr/lib/vmware/openssh/bin/sftp-server -f LOCAL5 -l INFO

AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys

# sshd(8) will refuse connection attempts with a probability of “rate/100”
# (30%) if there are currently “start” (10) unauthenticated connections. The
# probability increases linearly and all connection attempts are refused if the
# number of unauthenticated connections reaches “full” (100)
MaxStartups 10:30:100

PowerCLI - Connect to vCenter

Leave a Reply