CCE-85281-4Platform: cpe:/o:apple:mac_os_11 | Date: (C)2022-12-28 (M)2023-07-04 |
If remote login through SSH is enabled, smartcard authentication _MUST_ be enforced for user login.
All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Setting the default value to "no" will mess up services like SSH, if smart card authentication is not set up in the machine
Fix:
Add the following lines in /etc/ssh/sshd_config file:
PasswordAuthentication no
ChallengeResponseAuthentication no
And run the following command:
/bin/launchctl kickstart -k system/com.openssh.sshd
Parameter:
[no/yes]
Technical Mechanism:
Add the following lines in /etc/ssh/sshd_config file:
PasswordAuthentication no
ChallengeResponseAuthentication no
And run the following command:
/bin/launchctl kickstart -k system/com.openssh.sshd
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.1 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:80344 |