Red Hat Enterprise Linux 9 • Release: 7 Benchmark Date: 05 Jan 2026
CAT II V-258008 RHEL-09-255160
RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files.
Discussion
If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
Check Procedure
Verify the SSH daemon performs strict mode checking of home directory configuration files with the following command:
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*strictmodes'
StrictModes yes
If the "StrictModes" keyword is set to "no", the returned line is commented out, or no output is returned, this is a finding. Fix Action
Configure the SSH daemon to perform strict mode checking of home directory configuration files. Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d", or uncomment the line and set the value to "yes": StrictModes yes The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service