RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow known hosts authentication.

STIG ID: RHEL-10-700540  |  SRG: SRG-OS-000445-GPOS-00199 |  Severity: medium (CAT II)  |  CCI: CCI-002696 |  Vulnerability Id: V-281257

Vulnerability Discussion

Configuring the "IgnoreUserKnownHosts" setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

OpenSSH uses the first occurrence of a keyword it sees, and drop-in files are read in lexicographical order at the start of the configuration. Red Hat recommends using drop-in files rather than changing base configuration files.

Check

Verify RHEL 10 SSH daemons do not allow known hosts authentication with the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ignoreuserknownhosts'
/etc/ssh/sshd_config.d/10-stig.conf:IgnoreUserKnownHosts yes

Verify the runtime setting with the following command:

$ sudo sshd -T | grep -i ignoreuserknownhosts
ignoreuserknownhosts yes

If the "IgnoreUserKnownHosts" keyword is not set to "yes" in a drop-in that lexicographically precedes 50-redhat.conf, or if no output is returned, this is a finding.

Fix

Configure RHEL 10 SSH daemons to not allow known hosts authentication.

In "/etc/ssh/sshd_config.d", create a drop file that will lexicographically precede 50-redhat.conf and add the following line:

IgnoreUserKnownHosts yes

Restart the SSH service with the following command for the changes to take effect:

$ sudo systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.