RHEL 9 SSH daemon must not allow rhosts authentication.

STIG ID: RHEL-09-255145  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-258005 | 

Vulnerability Discussion

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Check

Verify the SSH daemon does not allow rhosts authentication with the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ignorerhosts'

IgnoreRhosts yes

If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.

Fix

Configure the SSH daemon to not allow rhosts authentication.

Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":

IgnoreRhosts yes

The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.