Help with RHEL STIG V-230230

Hello everyone. I’m currently working on hardening a RHEL 8.10 server that is used to collect syslog messages from our network devices. This device must comply with DISA STIGs. One of the STIGs that I’m having issues with is V-230230. Link to current version of the STIG will be at the bottom.

If I’m understanding the STIG correctly, the SSHD host keys located in /etc/ssh/ needs to be passphrase protected. But if I regenerate all of them to require a passphrase, the service is no longer able to use them because they are encrypted. SSH access to the device is required so I can’t break it and leave it. Each administrator has a smartcard and their public key is imported into the server. Based on this, the only private keys that I’m aware of would be the ones for the SSHD service itself.

How would any of you tackle this problem? Thanks for the assistance.

If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed.

Almost certainly they are referring to user private keys stored under /home/user/.ssh since that is where, normally, keys are stored to do PKI based auth to another server.

Thanks for the input. Interpreting the STIG that way would make this a lot simpler. I’m curious as to when would someone place their own private key on a server rather than their public key?

I think your interpretation and concerns are correct.

Storing private key encrypted on a server either requires manual intervention, e.g. at boot time, or the ability to unlock the private key e.g. using something like a TPM.

I am not aware of the latter being a thing, but curious myself about learning new things.