This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

RHEL 9 must not allow a noncertificate trusted host SSH logon to the system.

STIG ID: RHEL-09-255080  |  SRG: SRG-OS-000480-GPOS-00229 |  Severity: medium (CAT II)  |  CCI: CCI-000366 |  Vulnerability Id: V-257992

Vulnerability Discussion

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Check

Verify the operating system does not allow a noncertificate trusted host SSH logon to the system with the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*hostbasedauthentication'

HostbasedAuthentication no

If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding.

If the required value is not set, this is a finding.

Fix

To configure RHEL 9 to not allow a noncertificate trusted host SSH logon to the system add or modify the following line in "/etc/ssh/sshd_config".

HostbasedAuthentication no

Restart the SSH daemon for the settings to take effect:

$ sudo systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.