Complete mapping of CIS Ubuntu Benchmark SSH controls to configuration settings.
Benchmark: CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0 Section: 5.2 - Configure SSH Server
This SSH hardening component implements 15+ CIS Benchmark controls from section 5.2.
Coverage:
- ✅ Fully Implemented: 15 controls
⚠️ Partially Implemented (overrides): 3 controls- ❌ Not Applicable: 2 controls
Compliance Score: 83% (15/18)
Status: ✅ Fully Implemented
Setting:
LogLevel INFOLocation: ../sshd_config.template (line 111)
Rationale: INFO level logs authentication attempts and failures without verbose debugging output. Balances security visibility with log volume.
Verification:
sudo sshd -T | grep loglevel
# Expected: loglevel INFOStatus:
Base Setting:
X11Forwarding noLocation: ../sshd_config.template (line 92)
Override: ../drop-ins/20-development.conf enables X11 for development servers
Rationale: Disabled by default (security). Development servers can enable via drop-in for remote GUI applications.
Verification:
sudo sshd -T | grep x11forwarding
# Expected: x11forwarding no (base) or yes (with override)Status: ✅ Fully Implemented (when X11 enabled)
Setting:
X11UseLocalhost yesLocation: ../drop-ins/20-development.conf (line 23)
Rationale: If X11 forwarding is enabled, limit to localhost only (prevents remote connections to X11 display).
Verification:
sudo sshd -T | grep x11uselocalhost
# Expected: x11uselocalhost yesStatus: ✅ Fully Implemented
Setting:
MaxAuthTries 3Location: ../sshd_config.template (line 79)
Rationale: Limits password guessing attempts. After 3 failures, connection is dropped. Prevents brute-force attacks.
Verification:
sudo sshd -T | grep maxauthtries
# Expected: maxauthtries 3Status: ✅ Fully Implemented
Setting:
MaxSessions 10Location: ../sshd_config.template (line 76)
Rationale: Limits concurrent sessions per connection. Prevents resource exhaustion.
Verification:
sudo sshd -T | grep maxsessions
# Expected: maxsessions 10Status: ✅ Fully Implemented
Setting:
MaxStartups 3:50:10Location: ../sshd_config.template (line 82)
Rationale: Rate limits unauthenticated connections:
- Start dropping 50% of connections after 3 concurrent
- Drop 100% after 10 concurrent
- Prevents connection flooding attacks
Verification:
sudo sshd -T | grep maxstartups
# Expected: maxstartups 3:50:10Status: ✅ Fully Implemented
Setting:
PermitEmptyPasswords noLocation: ../sshd_config.template (line 35)
Rationale: Prevents authentication with empty passwords (critical security requirement).
Verification:
sudo sshd -T | grep permitemptypasswords
# Expected: permitemptypasswords noStatus: ✅ Fully Implemented
Setting:
PermitUserEnvironment noLocation: ../sshd_config.template (line 104)
Rationale: Prevents users from setting environment variables that could bypass security controls.
Verification:
sudo sshd -T | grep permituserenvironment
# Expected: permituserenvironment noStatus: ✅ Fully Implemented (implicit)
Setting: Default in OpenSSH 8.2+ (not explicitly configured)
Rationale: rhosts-based authentication is insecure and disabled by default in modern OpenSSH.
Verification:
sudo sshd -T | grep ignorerhosts
# Expected: ignorerhosts yesStatus: ✅ Fully Implemented
Setting:
PermitRootLogin noLocation: ../sshd_config.template (line 42)
Rationale: Root login disabled. Use sudo instead for privilege escalation (principle of least privilege).
Verification:
sudo sshd -T | grep permitrootlogin
# Expected: permitrootlogin noStatus: ✅ Fully Implemented (implicit)
Setting: Default in OpenSSH 8.2+ (not explicitly configured)
Rationale: Host-based authentication is insecure and disabled by default.
Verification:
sudo sshd -T | grep hostbasedauthentication
# Expected: hostbasedauthentication noStatus: ✅ Fully Implemented
Setting:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctrLocation: ../sshd_config.template (line 59)
Rationale:
- Only modern AEAD ciphers (ChaCha20-Poly1305, AES-GCM) and CTR mode
- NO CBC mode (vulnerable to attacks)
- NO 3DES, Blowfish, CAST (weak ciphers)
Verification:
sudo sshd -T | grep ciphers
# Expected: No CBC, 3DES, Blowfish, or CAST ciphersStatus: ✅ Fully Implemented
Setting:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256Location: ../sshd_config.template (line 62)
Rationale:
- Only SHA-2 family (512-bit and 256-bit)
- Encrypt-then-MAC (ETM) variants preferred
- NO MD5 (broken)
- NO SHA-1 (deprecated)
Verification:
sudo sshd -T | grep macs
# Expected: Only SHA-2 MACs, no MD5 or SHA-1Status: ✅ Fully Implemented
Setting:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256Location: ../sshd_config.template (line 56)
Rationale:
- Curve25519 preferred (modern, fast, secure)
- ECDH with NIST curves (521, 384, 256)
- Diffie-Hellman group exchange with SHA-256
- NO SHA-1 variants
Verification:
sudo sshd -T | grep kexalgorithms
# Expected: Only modern kex algorithms, no SHA-1Status: ✅ Fully Implemented
Setting:
LoginGraceTime 60Location: ../sshd_config.template (line 73)
Rationale: 60 seconds to authenticate before connection is dropped. Prevents resource exhaustion from hanging connections.
Verification:
sudo sshd -T | grep logingracetime
# Expected: logingracetime 60Status: ✅ Fully Implemented
Settings:
ClientAliveInterval 300
ClientAliveCountMax 2Location: ../sshd_config.template (lines 69-70)
Rationale:
- Idle timeout: 15 minutes (300 seconds)
- 2 keepalive probes before disconnect
- Total timeout: 10 minutes (300s × 2)
- Prevents orphaned connections
Verification:
sudo sshd -T | grep clientalive
# Expected:
# clientaliveinterval 300
# clientalivecountmax 2These settings are not part of CIS Benchmark but enhance security:
Setting:
PubkeyAcceptedKeyTypes ssh-ed25519,sk-ssh-ed25519@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256Location: ../sshd_config.template (line 50)
Rationale: Ed25519 > ECDSA > RSA (in order of preference). Modern, fast, and secure.
Setting:
PasswordAuthentication noLocation: ../sshd_config.template (line 23)
Rationale: Key-only authentication. Prevents brute-force password attacks completely.
Setting:
StrictModes yesLocation: ../sshd_config.template (line 89)
Rationale: Checks file permissions on user's home directory, .ssh/, and authorized_keys before accepting login.
Setting:
UsePrivilegeSeparation sandboxLocation: ../sshd_config.template (line 118)
Rationale: Uses kernel sandbox (seccomp-bpf) to limit SSH process capabilities.
Status:
Base Setting:
AllowTcpForwarding noOverrides:
- 10-gateway.conf: Sets to
yes(needed for VPN, tunnels) - 20-development.conf: Sets to
yes(needed for Docker port access)
Rationale: Disabled by default for security. Gateway and development servers enable for specific use cases.
Status:
Base Setting:
AllowAgentForwarding noOverride:
- 20-development.conf: Sets to
yes(needed for git SSH operations)
Rationale: Disabled by default. Development servers enable for git workflows with SSH agent.
Status:
Base Setting: Implicit no (not configured)
Override:
- 10-gateway.conf: Sets to
yes(needed for VPN tunnel access)
Rationale: Disabled by default. Gateway servers enable for VPN functionality.
# Show all active SSH settings
sudo sshd -T
# Filter CIS-relevant settings
sudo sshd -T | grep -E "(loglevel|x11forwarding|maxauthtries|maxsessions|maxstartups|permitemptypasswords|permituserenvironment|permitrootlogin|ciphers|macs|kexalgorithms|logingracetime|clientalive)"# Run validation script
../scripts/validate-sshd-config.sh --config /etc/ssh/sshd_config
# Expected output:
# Checks passed: 15+/15+
# Warnings: 0-3 (depending on overrides)
# Errors: 0# Check each control manually
sudo sshd -T | grep loglevel # INFO
sudo sshd -T | grep x11forwarding # no (or yes with override)
sudo sshd -T | grep maxauthtries # 3
sudo sshd -T | grep maxsessions # 10
sudo sshd -T | grep maxstartups # 3:50:10
sudo sshd -T | grep permitemptypasswords # no
sudo sshd -T | grep permituserenvironment # no
sudo sshd -T | grep permitrootlogin # no
sudo sshd -T | grep ciphers # No CBC/3DES/Blowfish
sudo sshd -T | grep macs # SHA-2 only
sudo sshd -T | grep kexalgorithms # Modern only
sudo sshd -T | grep logingracetime # 60
sudo sshd -T | grep clientaliveinterval # 300
sudo sshd -T | grep clientalivecountmax # 2| CIS Control | Status | Base Config | Override |
|---|---|---|---|
| 5.2.2 LogLevel | ✅ | INFO | - |
| 5.2.3 X11Forwarding | no | yes (dev only) | |
| 5.2.4 X11UseLocalhost | ✅ | yes | - |
| 5.2.5 MaxAuthTries | ✅ | 3 | - |
| 5.2.6 MaxSessions | ✅ | 10 | - |
| 5.2.7 MaxStartups | ✅ | 3:50:10 | - |
| 5.2.9 PermitEmptyPasswords | ✅ | no | - |
| 5.2.10 PermitUserEnvironment | ✅ | no | - |
| 5.2.11 IgnoreRhosts | ✅ | yes (implicit) | - |
| 5.2.12 PermitRootLogin | ✅ | no | - |
| 5.2.13 HostbasedAuth | ✅ | no (implicit) | - |
| 5.2.14 Ciphers | ✅ | Modern only | - |
| 5.2.15 MACs | ✅ | SHA-2 only | - |
| 5.2.16 KexAlgorithms | ✅ | Modern only | - |
| 5.2.17 LoginGraceTime | ✅ | 60 | - |
| 5.2.18 ClientAlive | ✅ | 300/2 | - |
| 5.2.23 AllowTcpForwarding | no | yes (gateway/dev) | |
| 5.2.24 AllowAgentForwarding | no | yes (dev only) |
Overall Compliance: 83% (15/18 fully implemented)
Note: Overrides intentionally relax specific controls for required functionality. Servers using only base config achieve 100% compliance.
- SETUP.md - Deployment guide
- OVERRIDE_PATTERNS.md - Drop-in architecture
- TROUBLESHOOTING.md - Common issues
- CIS Ubuntu Benchmark - Official benchmark
Version: 1.0 Benchmark: CIS Ubuntu Linux 24.04 LTS v1.0.0 Last Updated: 2026-01-04