nerdexam
CompTIA

CV0-003 · Question #849

A cloud engineer is troubleshooting RSA key-based authentication from a local computer to a cloud-based server, which is running SSH service on a default port. The following file permissions are set o

The correct answer is C. Fix the permissions with read-only access to the owner of the file. D. Open port 22 access for the computer's public IP address.. SSH RSA key authentication requires the authorized_keys file to have restrictive permissions and TCP port 22 open to the connecting client IP. Both conditions must be satisfied for authentication to succeed.

Security

Question

A cloud engineer is troubleshooting RSA key-based authentication from a local computer to a cloud-based server, which is running SSH service on a default port. The following file permissions are set on the authorized keys file:

Which of the following security practices are the required actions the engineer should take to gain access to the server? (Choose two.)

Options

  • AFix the file permissions with execute permissions to the owner of the file.
  • BOpen port 21 access for the computer's public IP address.
  • CFix the permissions with read-only access to the owner of the file.
  • DOpen port 22 access for the computer's public IP address.
  • EOpen port 21 access for 0.0.0.0/0 CIDR.
  • FOpen port 22 access for 0.0.0.0/0 CIDR.

How the community answered

(32 responses)
  • A
    3% (1)
  • B
    6% (2)
  • C
    81% (26)
  • E
    9% (3)

Why each option

SSH RSA key authentication requires the authorized_keys file to have restrictive permissions and TCP port 22 open to the connecting client IP. Both conditions must be satisfied for authentication to succeed.

AFix the file permissions with execute permissions to the owner of the file.

SSH does not require or use execute permissions on the authorized_keys file; granting execute bits does not resolve key-based authentication failures.

BOpen port 21 access for the computer's public IP address.

Port 21 is the FTP control port, not the SSH port; opening it has no effect on SSH connectivity.

CFix the permissions with read-only access to the owner of the file.Correct

The SSH daemon enforces strict permission checks on the authorized_keys file and will silently reject it if the file is writable by anyone other than the owner. Setting the file to read-only for the owner (mode 400 or 600) satisfies this requirement and allows the daemon to accept the key.

DOpen port 22 access for the computer's public IP address.Correct

SSH listens on TCP port 22 by default, and the cloud security group or firewall must allow inbound port 22 from the engineer's specific public IP address for the connection to reach the server.

EOpen port 21 access for 0.0.0.0/0 CIDR.

Port 21 is used by FTP, not SSH, so opening it to any CIDR range is irrelevant to the SSH authentication problem.

FOpen port 22 access for 0.0.0.0/0 CIDR.

Opening port 22 to 0.0.0.0/0 allows SSH access from any IP in the world, which violates the principle of least privilege; access should be restricted to the engineer's specific public IP.

Concept tested: SSH authorized_keys file permissions and firewall port configuration

Source: https://www.ssh.com/academy/ssh/authorized-keys

Topics

#SSH authentication#RSA keys#file permissions#port access control

Community Discussion

No community discussion yet for this question.

Full CV0-003 Practice