OL 9 must not allow a noncertificate trusted host SSH logon to the system.

STIG ID: OL09-00-002357  |  SRG: SRG-OS-000480-GPOS-00229 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-271719

Vulnerability Discussion

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Check

Verify that OL 9 does not allow a noncertificate trusted host SSH logon to the system with the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*hostbasedauthentication'
HostbasedAuthentication no

If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding.

Fix

Configure OL 9 to not allow a noncertificate trusted host SSH logon to access the system.

Add or modify the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d".

HostbasedAuthentication no

Restart the SSH daemon for the settings to take effect:

$ sudo systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.