DISA STIGS Viewer

AlmaLinux OS 9 must not allow users to override SSH environment variables.

Overview

Finding ID Version Rule ID IA Controls Severity
V-269439 ALMA-09-043030 SV-269439r1050322_rule   Medium
Description
SSH environment options potentially allow users to bypass access restriction in some configurations.
STIG Date
CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide 2025-05-22

Details

Check Text (C-73470r1048693_chk)
Verify the SSH daemon prevents users from overriding SSH environment variables with the following command:

$ sshd -T | grep permituserenvironment

permituserenvironment no

If the "PermitUserEnvironment" keyword is set to "yes", or no output is returned, this is a finding.
Fix Text (F-73371r1048694_fix)
To configure the system to prevent users from overriding SSH environment variables, add or modify the following line in "/etc/ssh/sshd_config":

PermitUserEnvironment no

Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:

$ echo "PermitUserEnvironment no" > /etc/ssh/sshd_config.d/environment.conf

Restart the SSH daemon for the settings to take effect:

$ systemctl restart sshd.service